> At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. (..) Desktop support is not currently within the project's scope.
This is the equivalent of a "Do you guys not have phones??"[1] but on a way larger scale.
At least where i live i am able to use the bare minimum of phones, even working with tech. The friction is increasing though, which worries me a lot, and day after day there is a new attempt to shove it down your throat if you want to be considered a member of society. Seeing that a lot of countries (including mine) are pushing for age verification, and the whole thing about Android blocking 'sideload', by the end of 2026 you won't be considered a human being without a government certified smartphone.
I do find it interesting that in an attempt to bring more people into modern society (via ability to access everything from an inexpensive smartphone), we're creating a stratification in society.
My brother hates tech more than me, and only has an old flip phone. I'm always surprised by the random problems he runs into as a result. Unresponsive desktop sites that beg you to download apps are the worst.
Another recent news about mandated app use: Ryanair now (from November) requires using their app for the boarding pass, no more printouts from the desktop. Also, they refuse to show the QR code for the boarding pass in a mobile browser via the website, you must use their app.
This has been the same for most low cost airlines (e.g., Frontier, Spirit). To get a boarding pass without a mobile, customer must go to the counter, pay an additional fee and get the printed version.
No, sending a pdf by email is no extra cost. They already have an email output interface for tickets and recipts and confirmations.
It's all about better tracking. I'm not quite sure what additional info they get exactly, but tons and tons of mobile websites (that work and don't get deleted) are close to unusable due to a barrage of popups telling you to use the app (e.g. Reddit and other socials).
Also there is no indication they will stop the mobile web version. Already today the mobile web version is there but it explicitly refuses to show the boarding pass QR code: https://i.redd.it/lj3wdnfp9mq91.jpg
It doesn't need to be by email. They can simply show it in the mobile website.
But they refuse to do so in order to get all that data which they can sell. In a mobile app it's way harder to run ad blockers and much easier to sneakily collect information on the user. Especially on android which is by far the biggest OS in the countries where Ryanair operates.
We (software agency) recently encountered this line of argument for the first time here in Germany.
It definitely reduces costs to swap 3 platform support to 2, but it still came as a kind of surprise to me. They (customer) poured years and seven digit figures into the web-based version which is now effectively going to be trashed. The current prod metrics are not supporting the 90% mobile thesis... I guess they just have high confidence that it will become true soon.
I'm wondering if these are the first signs of an age-based bias I have and the next generation just can't really imagine a majority of users using desktop PCs.
Ther's a line between "we don't support this platform" and actively making it hostile to try and use a platform. It may have even taken extra development time to make sure they can reject showing the QR code on a webpage, if their app is just serving that same web page.
I disagree. It's a tandem, and corporations and the government are increasingly welded together.
Also, I'm not too worried about the airport usecase as we're already being tracked and surveilled and inspected there as much as possible.
But it's another step to normalize and mandate phone and app use. The puzzle pieces are falling in place. Soon, AI could screen-capture your phone screen to detect suspicious activity, and track every tap you do, also taking pictures with the front-facing camera without you knowing, listening on the mic, etc. etc., connecting it all to your real identity. Because why not? If it's done step by step, nobody will care at all. Maybe that sounds pessimistic, but it looks like the end game and I see no principled political stance against it, nor any insurmountable technical hurdles.
That's an insinuation with some vague truth to it, but not much. Budget airlines are not government departments, and competition between them isn't phony.
"The sky is blue" "I feel that it is increasingly yellow"
There's little competition pressure because consumers don't care. I guess the standard theory says that the buck ends there. If people are fine with it, it's fine.
There have been very few policies truly passed because "everyone wanted it". It always starts with some "radical" minority bringing the idea to light and then campaigning for it. Even if the thing is obvious.
The former happening would make so many things easier.
We'd do well with taking an honest stock of what allowed the formation of democracies and civil liberties, because likely it wasn't that average people longed for it so much that it happened. It's out of my weight class to pitch a grand narrative for this, but we've seen many forms of societies and governances and the current one (or from 20 years ago) won't be the last.
You are arguing there's little competition pressure between budget airlines, a business with notoriously razor thin margins which people shop almost exclusively on price to the exclusion of all other parameters?
Ex - we already have plenty of cases where the government outsources payment processing to 3rd parties. What happens when that private 3rd party declares it's not accepting payments through anything except a mobile app?
Ticketmaster and their stupid app is another good example. As if I couldn't hate Ticketmaster any more I recently bought some tickets and learned about this idiocy.
I throw the tickets into my (digital) wallet and then don't think about the app until the next time I need to buy tickets. But that's not helpful if you don't have a phone.
I used to print paper tickets so I could get into a show if my phone died / got broken / etc. That doesn't happen often, to be sure, but I also don't want phone bullshit to keep me out of a show that, in the case of this recent one, I have >$500 in tickets for. One less dependency is a good thing.
More to the point, the app isn't for my convenience. It doesn't do anything to make my experience better.
They are verbose and vague about it: "Some passengers may be concerned about what they can do if they lose their phone or of their devices run out of battery before the pass board the aircraft. Ryanair has said they will assist people experiencing difficulties free of charge at the gate gathering their information and flight details which will be cross-checked and validated against the flight manifest so that they can board as normal."
Of course-- there will be accommodations to start out with. Then, after the new system has become "just the way things work," the accommodations will be removed for security or efficiency or some other reason.
Or maybe not. I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
Without endorsement of the behavior, here's a guy getting arrested for being argumentative about not having a boarding pass in the app, and being told he can't pay their 5 dollar boarding pass print fee with cash.
The likely future is where you'll be given a USB-C charger to charge your phone. If you have no phone or is broken, it will be the equivalent to having a strongly damaged passport. No fly that day, get a new phone, fly on another date, just like if you needed a new passport. The phone will be your ID, passport, credit card and everything. But since it will be all backed up in Google/Apple/Microsoft cloud, maybe you'll be able to buy a new simple phone near the gate, log in via fingerprint and facial recognition and go on your merry way. But also, once all this stuff is connected up in the cloud, maybe facial and fingerprint recognition will be enough to fly. NFC chips under the skin are probably too bad optics for the near future, but in one or two generations, attitudes will shift.
> I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
Yes, typically there's a fee for getting it printed at the check-in counter.
To me, that's getting bogged down in details. What matters is the intent and direction. Maybe you will have some workarounds for some time. But just as more and more places go cashless, it will also be paperless and mandatory app-based.
I hope the push for verification leads to the normies learning the ways of identity theft. The fun really ramps up once they figure out free money tricks.
Most of the times the user prioritizes more convenient options over privacy. "Pressure for competing options" will mean that options compete for the most convenient way, not most secure or most private.
Sure, but the point is that the more convenient less-secure ways are going to be criminalized. Otherwise nobody would use the age verification app in the first place.
This is a great example of how this whole requirement hasn't been properly thought out.
> Desktop support is not currently within the project's scope.
What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.
Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
Not in EU. Many banks mandate you either have an iPhone or Google approved Android as 2FA. Those fucking idiots have killed their own competition options.
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
You say "The bank"... does this mean Portugal only has one bank? If not, wouldn't this be a good reason so change banks? Maybe to a credit union (bank co-op) if they have those in Portugal as the members generally have much more of a say.
When I wrote "the bank" I meant, the bank in question, which is the one mentioned in the URL. Hope this makes it clearer for you.
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.
I would be alarmed if it requested microphone or access to either contacts or photo storage ...
All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.
Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.
>SMS is banned.
Really? I didn't know that. Can you point me to a document that states that? I'd greatly appreciate it.
>SafetyNet or Play Integrity
A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.
I might take a look at it again tomorrow.
I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.
If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers
Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.
All of them now require some kind of 2FA, everywhere. This is due to a legal requirement on all EEA payment providers that they require 2FA for almost everything since 2020, including accessing your account on their website: https://en.wikipedia.org/wiki/Strong_customer_authentication
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
It feels like "gold-plating" of regulations is and always has been a significant problem in the EU.
Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.
Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.
Well not in Germany. Some banks accept their branded authenticators, some of them don't.
ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.
DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.
N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.
The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.
So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
> So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.
My German bank started to require an Android or IOS smartphone [0]. No dedicated HW, no desktop. I actually dumped my well working Xiaomi Phone because it was either security or banking.
Some neobanks are limited to mobile-only. The OP's statement was too general. It's also true that some regular banks are phasing out 2FA via SMS, which is outdated per EU regulations, and may not easily offer alternatives to their app for 2FA codes.
Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.
Well in Sweden we can't. You already need bankid on your phone to log in on your PC. There used to be a bankid desktop app and dedicated hardware, but that's gone from many sites now
This has been true since it stopped being true for Internet Explorer. I've not noticed any significant change over time. I have been using Firefox for over 20 years.
True, but there are alternatives to using these services, though a bit more inconvenient. What will be the alternative to the age verification mobile app?
Back when Microsoft said they were going to let Android apps run on Windows before killing it off for I think the third time, I was excited that I'd be able to run my bank app on my desktop. The app is a simple process to login, but the website has about 50 steps to login making it unappealing to use (probably on purpose).
To me it reads that, since many people already believe this is more about tracking than safety, they are focusing on a device which is the perfect surveillance system, and which conveniently already accounts for 7+ hours of many peoples daily computer/internet interaction.
A desktop computer doesn't necessarily have a microphone or camera, and doesn't necessarily have to be connected to the internet. I'd wager most crime, including that which affects children is done on "disconnected devices" in this sense.
Even though it sounds like _you_ probably know this, Cory Doctorow has been sounding this alarm for years. As usual, it seems he was right about the possibility of this being a legitimate battlefront in the (actual, non-hyperbolic) war on freedom.
I think it's more that smartphones have built in security measures that prevent hacking. It already works for bank apps, so why not use it for government stuff too?
It sucks, yes, but that's probably how these people think.
but if age verification is used for what it claims it is such hacking protections are not only unnecessary but fundamentally harmful (i.e. if a child hacks their PC it's fine if they circumvent age verification, the main responsibility still lies with parents and as such tools like parent controls are much more relevant)
the main reason is that this is not a reference implementations or "this is the app everyone must use" case but a "to see what is technical possible/practical" "research/POV" project
this also makes the "EU age verification app" title quite misleading
> I think it's more that smartphones have built in security measures that prevent hacking.
Which is a joke when you know that most phones in the wild are using an obsolete OS version (most of the time due to lack of software support from the manufacturer, but sometimes because some people just refuse to update because updates are in fact downgrades — looking at you iOS).
I used to use a feature phone and I genuinely didn't miss any of the same things.
my commute is a really long ride and I just don't like using my phone in it.
My dumb phone had music system and sd card (I finally managed to have that sd card fixed after an year of using that dumbphone without even an sd card for music)
I just used to stare into nothingness / surrounding and think. (Yes I have edited it because I didn't used to think, I used to overthink just as I am doing right now lol)
Not that productive, but my current phone is so slow that I can't even tell you guys or start telling you. It takes me 1/2 a minute just to unlock it and the only thing its truly good at is having a music player run and some occasional hackernews or pokemon showdown or youtube scrolling.
But tbh, I don't have any banking apps etc. so to me there isn't thaaat much of a difference. I feel like a macbook is genuinely nice as it has that less friction and a pc is great too as compared to a phone for the most part when I am at home.
My screentime is usually just some shorts that I occassionaly watch on phone when I am extremelyyy bored.
I am sad that my dumb phone was in my bag one day and then it just stopped (working??) , I swear I kinda regret having my dad's old phone. I am not sure how he was even using it.
Smartphones are a lot more portable than desktop PCs or even laptops. Unless you enter everyone's home to take an inventory of their devices, it stands to reason that you're going to see more smartphones than anything else by just looking around.
But as long as there are still people using desktop computers, removing access from them is an overreach and makes these ideas totally undemocratic. I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.
The only eventuality where this is acceptable is when desktop computers won't even be gated, and then if anyone can circumvent the problem with a computer, why is anyone even bothering with the whole thing...
> I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.
That doesn't surprise me at all. Principles in a government body don't exist. They are all crooks.
It doesn't surprise me either, because I'd never be able to use a phrase like "the principles and know-how of the EU" with a straight face. (To be fair, you could replace "the EU" with almost any large bureaucracy.)
I understand we're all old and cynical here, but one of the tenets of discussions on HN would be to take someone's arguments at face value, so I prefer to believe that the EU as an organization actually wants to diminish social exclusion and discrimination. I'm not sure if I'd give the same credit to any other capitalist entity, but the EU does not have the implicit goal of increasing revenue for its shareholders to subvert any of the others stated.
Lots of countries have has similar goals and lofty promises in its constitution.
I take your argument at face value (in that I take it that you believe the EU has that goal at some level). I just to not expect it, as an organisation, to consistently promote that goal (for much the same reasons lots of countries fail to serve their citizens).
Profit making businesses have the explicit goal of making shareholders better off. Management usually choose to balance this against other goals (ethics, the good of wider society, their own interests...), just as the EU has the explicit aim you state, but, similarly, has other conflicting aims.
“They are all crooks” is the motto of another kind of personal corruption: the kind where people abdicate any responsibility to detail or distinction for the sheer indulgence of moral posture without any of the work.
Every time someone says “they’re all crooks” they are the enablers of crooks. The crooks couldn’t do it without people like that.
> This is a great example of how this whole requirement hasn't been properly thought out.
I think this is more an example of you misunderstanding the desires of the people pushing for this.
They want to actually ban this content, they just know that is a harder sell than restricting to adults. So for them, making it harder or impossible to access the content is a feature, not a bug.
And as a prerequisite enforcing dependency on titanic (and in my case foreign) tech companies that are free to unilaterally ban you from communicating with your government. This is a BAD idea.
Depending on the implementation, you can run the app on your computer. I don't see why the iOS app wouldn't work on macOS, and there are tons of tools to run Android apps on Windows and Linux.
If the actual implementations do copy the dependency on Play Integrity and other such APIs, that does become a problem (getting past that is a major annoyance on amd64 computers because there are so few real amd64 Android devices that can be spoofed).
However, the law regarding these apps specifically states that the use of this app must be optional. I'm not sure websites and services will implement other solutions, but in theory you should not need a phone unless you want the convenience and privacy factor of app verification. I expect alternatives (such as 1 cent payments with credit cards in your name) to stick around, at least until we get a better idea about how this thing will work out in practice.
Waydroid on linux comes to mind. It sort of semi worked out of the box on archlinux but I can't try to imagine setting up somewhere else..
Wait a minute, while writing this comment, I realized that there was a guy who sort of packaged waydroid into flatpak-ish to run android apps in flatpak.
I am not an EU citizen but if somebody is & they want this age verification app on desktop, maybe the best way might be to support this android translation layer to convert this EU app into something that can run through flatpak and then use linux I suppose.
I mean, some of y'all are so talented that I feel like surely someone would do it if things do go this way! So not too much to be worried about I suppose :>
I've been saying this for years: eventually not having your phone on you and powered up at all times will not be a crime, but it will be grounds for questioning and search.
One day, there will be a knock on your door.
"Good morning, this is the police. Is there something wrong with your phone? Is your phone broken? Can we provide you with a charge?"
"No, I must have turned it off accidentally."
"Can we assist you with an upgrade? The newer models don't have power buttons."
I think you're exactly right, and the groundwork is being laid today by the standards society is setting for everybody. People will assume a lack of phone or the presence of a phone but lack of usage / content on it, makes you guilty of some sort of crime similar to owning a burner phone.
Tell somebody you use your phone less than 10 minutes a day and look at their face change.
> Tell somebody you use your phone less than 10 minutes a day and look at their face change.
While not less than 10 minutes per day for me, but I was having this argument on reddit over the iPhone Air - people couldn't fathom that there's someone out there that is not on their phone 24/7, and doesn't use their phone as their main computing device.
I clock in at under an hour screen time most days. It's the least ergonomic device for me to do anything remotely serious. Can't even stand typing on a virtual keyboard. My laptop is, and will remain, my main interface to the net and communication with others.
You'd think I was some kind of weird hermit luddite because of it.
What does seem to be happening is rather that the assumption of having a phone will be built into every little thing - in particular mobile payments are becoming mandatory in some places. Transportation including parking is sometimes locked behind an app. We could also see stuff like landlords moving to smart locks that a tenant open with their phone.
Since children are universally not considered real people with real rights schools requiring them to have the right apps to perform their schoolwork are to be expected.
Don't worry, that feature will inevitably be phased out because only a small percentage of people use it.
Every new secure government identification/authentication/verification thing will try to 'just' use Android/IOS, because 'everyone' has one those smartphones.
"Google, google everywhere.
It's attestation is gonna be a nightmare."
Idk I created this just right now lol.
But on a serious note, Maybe check out my comment on something known as the android_translation_layer with flatpak to see if that might help to run that app atleast in linux.
Then you can't use this method of identification, just like you can't use it now. Surely it won't be the only way to identify yourself online. If this provides a frictionless way to do this for 95% of people then it's already a huge win.
No, this is worse because it solidifies Apple/Google's duopoly over the smart phone market even more than it already is.
Not only that, but having this locked behind something that works for 95% of users means the other 5% will never have enough leverage for any other implementations to be approved. Which is absolutely unacceptable for such an essential feature like age verification.
Why can't we continue with an open web standard? We should have complete interoperability regardless of whether I'm using a google smartphone or a custom os I wrote in my garage or bsd or nixos. That is the entire point of web standards: to create the ability to communicate with one-another regardless of system design, so long as standards are properly implemented.
The target, which are the children who access "forbidden" websites without authorization is likely to be lower than amount of people who won't be able to access due to those narrow specs.
If you don't have a phone, you cannot create a new Google or Vk (social network) account today. I expect there will be more things you won't be able to do if you don't want to leak your information.
This is plain stupid. Countries (e.g. where I live) already have systems like SPID or CIE that can authenticate users using a multitude of factors, for example I can authenticate myself with a QR and a phone, or I can not even have a phone at all and have a 20 euros NFC reader connected to the PC and can authenticate using my digital document and a PIN.
No? I had been with dumb phone for almost a year from like 2024-25? What point are you trying to make as I think that there are some good dumb phones in the market which even support things like signal.
I used to use the messaging app through SMS tho, the people that knew me (that 1 friend gets a shoutout here who used to msg me through SMS in the world of whatsapp and my mom!!)
Most phones are used for two things that my father used to quote: Whatsapp (messaging app) and youtube(social media)
Entertainment could somewhat be offloaded via music player etc. into dumb phones and to be really honest, I think that even things like hackernews could be operated on those dumb phones if given the ability to.
https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the dumbphone which supports signal btw. Wish there was a way to make app for dumbphones like these just as how we can make apps for androids.
I was shocked by how much feature packed my chinese dumb phone was for 11.27$ lol. It just didn't have internet & yeah games as well.
A phone isn't enough, you need an Apple or Google account as well. So if your Google account gets banned, you might as well just jump of a bridge because it's over for you.
App not available doesn't mean age verification not required. You can be required to confirm your account from your mobile phone or scan some QR code on mobile that will take you to age verification session and once completed you can continue from the desktop.
I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
>I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
That only works in a world in which the government provides speedometers, which restrict the vehicle automatically, and in this case they refuse to provide them at all for blue cars.
So a loss of mobile phone will mean loss of everything? Maybe we should just kill people if they lose a portable mobile device which can just stop working by itself? I fully expect there to be some idiotic scenarios where to get x, you need to already have x.
Be as much work as possible in all places, where the default option is to do something with your mobile phone. If enough people do that, then the alternative to using your phone will need to have good process, so that it is not holding up everyone else.
If something doesn't work without your phone, report it being broken. If they tell you to use your phone, tell them you don't have one. If possible, leave their service, if they don't care.
We have to make it their issue as much as possible, when they try to push their shit onto us.
Surprisingly often there is a workable alternative to using ones smart phone. We have to make use of those as much as possible, so that the cost for them to get rid of those options will be high and they think twice before doing that and offending us.
They will terrorize us like that and then, they will use implanted chips. One primary one backup. It is extremely rare to lose both. Possibly the primary will be in your head.
Why would loss of a mobile phone be that dramatic? Go buy a new one? Having the equipment in something that requires an equipment is pretty reasonable when the price range is within the reach of everybody.
> What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
I doubt it unless something odd happens like triggering some reaction. They’ve looked at the data and see the majority of society using “phones”, which are really just increasingly small computers that happen to have a feature to also make calls; and they’ve decided that this trap they’re leading us all into can and may even need to stay open and inviting for a while anyways until the older people die off and desktop form factors kind of fall by the wayside, before the trap is even ready to be sprung. In the mean time they’ll just gaslight and lie about what they’re doing, to save and protect the children of course, until the day that you tune around from a distraction and the trap door is shut behind you.
It’s the same MO as always, with the gullible and naive enablers being essentially the worse threat than the actual perpetrators.
I've posted this as a response but I'll post it again since it seems like a lot of people are confused about the project:
This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).
The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.
If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
I don't know the specific ZKP variant if that's what you mean, but the general architecture of the system is best described in the 38C3 talk from earlier this year: https://www.youtube.com/watch?v=PKtklN8mOo0
There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
> This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard ECDSA..
The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.
> It will also be trivial to circumvent
If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].
> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.
I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.
> So given that the current spec is not in use, this seems incorrect.
No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).
I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.
> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.
Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.
[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).
> Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
I can see this argument, but it has a few caveats:
- The 'faucet', providing infinite key material in an open proxy is also very vulnerable
- If the only attribute is age verification then uniqueness is not required; i.e. you can borrow the key of someone you trust and that should be fine.
- The unlinkability is a requirement from the law itself, i.e. the current implementation cannot be executed upon assuming rule of law holds
This is hardware attestation in a nutshell: a double edged sword, and a sharp one at that.
The biggest issue is that the attestation hardware and the application client is the same device with the same manufacturer, who also happens to have a slight conflict of interest between monetizing customers and preserving any sort of privacy.
IMHO the pro-attestation forces are so overwhelming that we should all cherish the moment while we have anything open left.
My understanding of the "double edged sword" idiom is that the tool has both downsides and upsides. What are the upsides to restricting what I can do with the hardware I paid for?
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".
This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.
This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
This "identity wallet" is such a hostile idea, require identification for everything instead of thinking about how to remove identification (for example, allow anonymous banking, traveling).
But you could do attestation on GrapheneOS, no need to require the users to have Google spyware preinstalled. Google is abusing its position here, attestation should be to verify the security model, not Google's business model..
When scoped to attest the full software stack down to the kernel, yes, because it takes control away from the general purpose computing device that the user supposedly owns. I don't however have a problem with attestation scoped to dedicated hardware security devices such as Yubi Keys.
And if such dedicated hardware is ever required by the law, the manufacturer should be prohibited from bundling any business-related functionality there (such as displaying ads) that can't be turned off without breaking the certification.
Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.
Yes, and remote attestation should be illegal on any general purpose computing device, for some reasonable definition of what that is. General purpose computing should be a human right, in particular the right to change the software running on devices that you own.
Take any group of a hundred tech people (devs, analysts, architects, etc.), and 95 of them will do everything with their stock Android or IOS smartphone. Maybe 3 will consciously limit their use of that device, and the remaining 2 reluctantly use something sane like GrapheneOS. Those two might pipe up and take a stand for people without smartphones (which includes a very varied swath of people, from Luddites to people with disabilities), but they'll get drowned out by sighs, sheepish looks, and the chorus of 'let's just start with those two smartphone OSes, and if after a year or two people still really need something else, a new project can be started to address that'.
It's not an insane question, it just doesn't get asked.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.
Well, in the end there may only be one thing left we can collectively do, but which we surely won't collectively do, because too many of us are way too comfortable to accept any discomforts: We can avoid using services implementing shit, so that any business that singles out desktop users or disadvantages them, doesn't have much of a customer base. Voting with out feet.
I have very little hope, that the common user will make use of their own agency avoiding a dystopia, or even think about issues associated with their behavior. We can see this everywhere even today. The majority of people are clueless and just accept whatever bone is thrown their way. Need to buy a new phone every year now? OK. Pressured to accept digital surveillance by not even state agencies but private profit oriented companies, that want to sell your data or use it for nefarious purposes? OK. Giving all your communication data to big tech? OK. ... It is all just a big "auto-accept any digital rape" for most people, as they don't even want to think about the technical implications and implications for society. It's all so far above their technological understanding, that they just exit the bus, when it comes to discussing these things. That is the problem we face. How to make the normal person aware and interested in their own digital rights.
Depressingly this feels like a long lost battle. I suspect internet freedoms will continue to be eroded and by the time most people care enough it’ll be too late.
My optimistic brain is hopeful for federated services to become the norm and stand up to this kind of crap.
I fear it is already too late, thanks to the phone duopoly and bulletproof secure boot environments. The EU can now make remote attestation mandatory by law.
We have to assume this is only the first step. The next step will be mandatory identity attestation for everything and your only choices will be to either accept it or not use any services at all.
Unless you can show a direct cause-and-effect relationship from clicking OK on some form to something negative happening in their real life that impacts them in actual physical real life, a real event at a particular time that they can observe with their eyes that relates to their real life (family, job, social life, going about their day), most people won't care. Otherwise it all blurs to some abstract words and theoretical tinfoil-like worries about the "government" and ufos and sovereign citizens.
I finally took a look at the DSA, and it only mentions anything relevant to age verification in three places:
- Recital 71, which vaguely suggests minors' privacy and security should be extra-protected, but says that services shouldn't process extra personal data to identify them.
- Article 28, which says that platforms should provide a high level of "privacy, safety, and security of minors", again without processing extra personal data to identify them. It also says that the Commision may "issue guidelines", but says nothing suggesting age verification should be implemented.
- Article 35, which says that "large online platforms" should maybe implement age verification.
Furthermore, recital 57 says that the regulations for online platforms shouldn't apply to micro/small enterprises (which has a definition somewhere). All together, I don't see anything suggesting that anyone but the largest online services is being forced to implement age verification right now.
Judging by various posts by the Commision I've seen online, they're certainly pushing for the situation to be seen this way, but de iure, that's currently not happening.
EDIT: I found the guidelines mentioned [0], and a nice commentary on the age verification parts [1].
If implemented according to plan, things like ID cards, drivers' licenses, diplomas, train tickets, and even payment control can be handled within such apps entirely digitally. Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
A healthy dose of cynicism would make clear that the moment such optional infrastructure is rolled out, new legislation can be drafted to "save on expenses" by enforcing this digital model and "protect the kids/fight the terrorists" by forcing age verification on more businesses.
> Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
That doesn't make sense because the government knows about every vehicle and its owner and his social security number and there is no point to hide it. I think you misunderstood something or I misunderstood your comment.
The goal of "bringing identity to your phone" is making identification easier to require it in more cases so that the government knows better what its citizens do. One thing if you are required to fill a 20 fields form to buy a bicycle and another thing if you need just to tap your phone at the cash register.
Yes, but this isn't part of the digital wallet project. As I understand it, the Commision was so impatient with age-verification that they commissioned this project separately, because they didn't want to wait for the full solution, hence it being called a "mini-ID wallet".
I'm certainly not against vigilance and making sure no new laws mandating the use of either this or the full digital wallet sneak through, but my point is that, despite the Commision's misleading public stance, age verification is (mostly) not mandatory today.
That's true, but as this is only a small part of the larger project, it's also targeting a very specific part of legislation.
The README for the age verification spec specifically calls out article 28 of the DSA and the Louvain-la-Neuve Declaration. Neither is aiming to be the mandated age verification mechanism for every single website, but rather a specific tool to solve a specific problem: age limits on social media and big tech websites.
If, or, seeing Denmark's recent bullshit: when, we do get mandatory age requirements, it'll be part of new legislation that will likely take years to go into effect, and, seeing how long it took websites to comply with the GDPR, will start affecting most websites even later. This isn't the doomsday law that I would've expected to come from the US if they were to write something like this, and using privacy-first cryptography does give me some faint hope that this isn't just a big performance to hide malicious intent. This could've been as bad as eIDAS 2.0 with the QACs and other unreasonable technical requirements.
I think the title "EU age verification app not planning desktop support" is misleading because it gives the impression that there will be no way to support EU age verification on the desktop.
This is addressed in the comments:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
So I think a better title might be "EU age verification example app not planning desktop support"
(don't get me wrong, I'm not a fan of how this is implemented, but it's important to be accurate in our critique)
Tin foil hat time: this is why Google is pushing to kill app sideloading.
Mobile phones are the only platform at the moment that can reasonably be used to enforce mandatory software installs and remote attestation. Removing sideloading can down the road leading to Google (or Apple for IOS) forcing all app store provided apps/browsers to support government authentication APIs like this.
Google is gung-ho on embracing every kind of identification law because it aligns with their business model. They sell ads therefore it is important that humans are authenticated. Other social media companies like X have similar incentives.
Denmark has a digital ID service for its citizens called MitID which includes a 2FA system that can involve a smartphone app, but not necessarily. Citizens can request a code display device if they prefer not to use an app. There are also audio code readers for people with impaired vision.
The system works really well and it’s very convenient.
It makes total sense. The whole point is to punish self-respecting people who use freedom preserving operating systems and treat them as second class citizens.
Depends on whom you ask. Google introducing the developer verification and sideloading on iOS being even bigger hurdle, they want to stay in control on what you use and they want to make sure you don't have possibility to use anything they explicitly permit. Normal desktop is unfortunately too open for that. Discourage people to use desktops and make rely on controlled gardens even more.
Only available on Android and ios, only installable from Google and Apple App stores (in practice now, but completely when Google tightens control). So much for digital sovereignty.
It's more then reliance on smartphones, it is reliance on people having a Google or apple account to actually download the app.
That's a large factor worse.
The digital identity wallet has as one of its spear points privacy, but it forces you to have that big tech privacy slaying account.
The much bigger issue is that it's the first time when you're required by law to install government software on your devices. It's breaching your private space and it's immoral and wrong. Private spaces, including digital, should be protected from government by constitutional law.
> the first time you're required by law to install government software on your devices
If it were only that. We could sandbox it, deny it permissions it doesn't need, or inspect what it does. All fine and dandy.
No, it's the first time a democratic government requires you to carry a 5G video recorder that you can't turn off short of smashing it to pieces if the manufacturer is ordered to make it so. But then you can't do half the things a normal person can do so you won't smash it to pieces if you don't have evidence it's currently acting as a bug.
The EU software tries to detect when you put it in a sandbox or when you merely try to inspect what it's doing. Attach a debugger and it'll refuse to verify your age to social media so you can't use that anymore. Install an open source OS on your phone and you can't so much as legally obtain your own government's software in the first place.
I wonder how this aligns with EU's accessibility act. Covering "the vast majority of users and real-world use cases" isn't really enough based on EU's own regulation.
This is insane. USA is already pushing sanctions against Europeans via US companies (e.g. Microsoft revoking ICC accounts), and now they are about to tie basic functioning in the society to two US megacorporations. At the very least this will solidify the duopoly.
At this point I don't find it impossible that critics or other "enemies" of US (or Israel) in Europe will get their phones bricked as sanctions, and as a result become second class citizens.
I don't even see the necessity for having hardware attestation. We've had for decades online ID systems that can you can run on any device with an internet connection.
I can't find which document it was specifically, but I seem to remember that the hackers' ethos always been that it doesn't matter who you are, what your title is or skin looks like, but that your arguments are to be valued by its merit rather than by who says it. Age seems like another one of these properties you are stuck with
I agree with that, I'm not arguing for discrediting arguments by age and ask for authority of the elders or something of that sort. Age provides context, it's helpful with facilitating the conversation in a healthier manner. Just the other day I was having an intense argument with someone on reddit, at some point it occurred to me that they don't understand because they are too young(checked the profile, definitely some kid trying to have an opinion on grown up stuff) and my words don't ring a thing in their head. Instead of being angry for them being too stupid to understand, I decided that they are not stupid or bad people but just too young. I was at that age some time ago and I knew how it feels, so left them alone. They will understand when they understand.
This is because words actually don't carry much meaning, they invoke something that the other side understands already. For example, it's very hard to have a conversation about some aspects of a relation of 40 y/o people if the other party is in their 20s. You need to relate with something of their age and build it up and even then its likely they will understand it completely the wrong way. Over the years people evolve, they go over stuff and when you meet someone who hasn't been through the process you need to be aware of that otherwise you will mistake them for stupid(because, not everyone who ages ends up going through the transformation the same way. You better know if you are speaking to such a person or a younger person who has the chance).
What I don't understand is, why people assume that everything you know about someone is supposed to be used against them. Why everything needs to be malicious?
Thanks for the elaborate and thoughtful reply! I have little to add to the bigger paragraphs, but about the question at the end: I've been wondering the same and think it must be an information age thing. Not in the abstract or the "kids these days" sense, but in that everything is stored somewhere and processed in invisible ways
I don't remember caring that someone took a picture of me with their Nokia when I know that they'll at worst share it to a handful of people via Bluetooth or try to upload it to a friend's MSN channel via GPRS. It won't be uploaded to Facebook, facial-recognized, and stuffed into a global database. Or visiting websites: I operate a website and I know you can parse which pages I viewed straight from the access logs. I don't mind, you can see what paths I took through the website and you might learn how to make a better flow. But technically, drilling down to such an individual user level is tracking based on personal identifiers and so would require consent under 2018's GDPR. I'm happy that it now does because I don't want Google to track every page I visit, and ~everyone uses Google Analytics because then you get perks like knowing what search queries you are doing well on (how convenient that google removed referrers for privacy)
I don't really have a solid answer -- why do I care about Facebook and Google but not about John "Malicious Sysadmin" Doe? -- but maybe it makes sense on some level. I need to think about it more still
I think the problem is that the new communication methods are allowing for new modes of communications that we lack tools for dealing with malicious actors(like IRL when someone lies constantly, we know how to work with that person but we don't know how to deal with someone from the other side of the world who lies as a full time occupation preying for attention). The newer generation people are less and less interested with "talking to strangers" as the environment become too toxic and goal(like promoting a product or pushing an agenda) oriented when the internet became mainstream with the proliferation of 3G and iPhone/Android. IMHO There are not many real people out there, most people who create content are doing it as a job or as a side hustle and those who provide the platform treat people as numbers, probably not much different than butchers who are just trying to produce some meat so they don't see the animals as live being. Plus, there are psychos all over the place who are trying to harm people for entertainment.
As a result, real people are having real talk in the safety group chats where they know the members to som degree, IIUC.
Further tangent, I'm not big on digital ID and stuff overall but then I'll play an online game with cheaters and wonder if it's not the solution to things like this. Lifetime cross platform online game bans tied to your real life ID which you need to sign into this new all encompassing anticheat.
I don't think that anything should be as harsh ever but yes, having a reputation that goes everywhere with you is how we deal with problematic people in real life. That's how we stay civil without AI systems constantly scan us or some type of police constantly watching. Also, we tend to tolerate, forgive and eventually forget when someones behavior improves, so... Maybe actually having a continuous persona can help with the nihilistic tendencies too?
False positives aren't exactly rare. Cheaters trolled PunkBuster's memory scans by sending offending payloads matching blacklisted signatures over popular IRC channels, less recently they exploited an RCE vulnerability to deploy cheats to other players computers, mid-game. AMD released drivers hooking themselves into games processes, triggering detections. And there's a lot of less obvious problems with this approach.
There are other interaction modes than judging or hating. Age is useful for many of those, its especially useful for tolerance. Most cultures do have age based moral code for interaction which compensates both for experience(lack of) and decaying cognitive abilities due to age or provides credibility for perspective and trustworthiness.
This enforced loss of fidelity is among the primary problems for online communications.
So? Go protect them the proper way. Do you want also to have all your messages scanned because you may be up to something illegal? Should we refrain from encryption because can help terrorists? That's not my cup of tea, I don't like proxy "protections" that are supposed to protect us from evil at some huge cost like loosing privacy or human connection.
I don't subscribe to the idea that we should ban knives because someone can use them to stab someone.
Well, yeah. There’s no way to curb the modern cheating epidemic without increasing security measures. Riot Games via Valorant truly pushed the industry so far ahead by reducing their cheating percentages so low that the cost to cheat for more than a few weeks at a time is thousands of dollars a month.
Better that it's a dummy device I can stick in a corner and turn on when needed, than the thing I need to carry around all day for various purposes like finding my way around and showing a legal public transport ticket
Exactly, remote attestation is only acceptable on your own devices with remote attestation servers that you control.
For example, it would be completely fine to implement remote attestation where devices issued by companies to employees verify their TPM values with company's servers when connecting via VPN.
All other such activities directly infringe on ownership rights.
I don't see the value of remote attestation period. Especially when we talk about the mobile world which is a jungle where even the manufacturer itself doesn't have the full picture of all the code running on the device.
Yeah sure it's guarantees that the device is more or less similar as from the factory... and then what? What am I supposed to do with that information?
They point out that some other service could do it:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
The EU is paying for this one but not other ones apparently. Strange. It's almost as though they're paying to build what they plan to use rather than making an example for the heck of it
As more people move away from spyPhone devices, how is this going to work. Especially having BigTech being able to hold the EU ransom over access to basic government services.
A phone should not be a requirement to partake in society, and I´d even argue the same for a bank account. But I see this month another strong push towards a digital Euro. Is that the true purpose behind this push for .eu ID Apps?
When the UK age verification legislation was being debated I recall people saying "don't worry about unintended consequences, it's not like you'll be have to show your ID to random websites! Someone will show up with a reasonable methodology. You'll be able to e.g. show your ID at a shop and get an anonymous token.".
And plenty of people, including myself, thought "this is so dystopian it couldn't possibly happen".
It did happen, and it's as bad as the doomsayers said it would be.
I would be curious what it's like in the UK. It would probably do well as an HN submission if you're up for writing a blog post about it. All I know is that they passed some legislation that requires people to authenticate for anything that could possibly show nudity or something, including Wikipedia, and that VPN apps were going wild. I don't know what it's actually like in daily life, how one does authenticate to Wikipedia (or if they bought themselves time for now by iirc suing the govt?), if there are privacy-friendly age verification options and if those options are commonly implemented by the websites that need it, etc.
So in order to be a part of European society I need to accept the terms and conditions of US companies?
What happens if something goes wrong and you have to rely on contacting a human in Google of all places? Sorry, you have a copyright strike on your YouTube account, now you can't file taxes! Hopefully you have enough followers on Twitter than you can get them to pay attention.
EU is just rushing into bullshit dystopia scifi with its useless and harmful anonymization and chat control ideas. These just ought to fail and be rolled back. Imagining these succeed seems nearly as wild as waking up in the world where people do yakuza-style thumb cut to every naughty kid who fails to do his homework.
Here's my crack at a good-enough solution for the U.S.
It doesn't have a ton of granularity - but the concept is shovel ready now, dirt cheap, and privacy preserving.
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
What's crazy to me is why they didn't go for that kind of implementation. This works well, ensures privacy, can be audited easily, and doesn't need a f*cking app on my phone.
If you read the guidelines they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy.
If you're not familiar this would mean the verifier doesn't learns anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
What would need to happen in the United States to implement a reliable ZKP age verification system - and how long would it take to roll it out?
Asking because it feels like the Titanic has sunk, and we're eschewing a floating door because the coast guard has regulation conformant life rafts that would work better.
> United States to implement a reliable ZKP age verification system
(my emphesis)
Realistically at least 3-4 years, assuming they want to keep the same goals as eIDAS. I think the (software) implementation will be the least costly part, time-wise; but it takes a long time before everyone adopts a new social system. Especially in the US where there has been no precedent for digital identification. Even with full control of your own ID & and solid implementation details, there will be push-back just for suggesting that people/companies should adopt it.
What happens if some party is able to get logs of the bank's age attestation signings and of hornpub.click's steps #2 and #6? It appears this would present some risk of matching up hornpub.click accounts with real IDs.
This is called "linkability" and ideally should be avoided so anonymous age verification can be safe.
Can you elaborate on how the risk of ironbank and hornpub colluding by de-anonymizing you via rainbow tables or IP forensics is substantially greater than Chase and PornHub using - Google Marketing?
It isn't, but due to bureaucracy, when designing a solution, it's that solution that has to be "secure" without really considering that the current outside situation is already insecure..
Anyway I'm not advocating for this solution, just addressing the question directly.
I think that the European Digital Identity project should not be hosting its source code and content related to European standards, guidelines, and initiatives on GitHub, a closed source product owned by Microsoft.
If nonprofits like the FSF or communities like the Debian project are able to store their code, why is an organisation with the magnitude of the European Comission unable to do it.
Why stop there? Go all in: they should not run their open source totalitarian digital control nightmare codebase on closed source hardware, because that's the real issue!
My experience with digitalisation is that the optional physical service desks quickly start disappearing once the younger generations start using digital equivalents.
Card payments and digital banking have closed most bank offices outside the larger cities. Mail dropoff boxes are slowly dying out. Paper bank invoices now cost extra (an unreasonable amount extra).
Granny may be able to verify her age, but the service desk won't necessarily be local.
Here's the official Dutch government solution for if your mobile phone doesn't have NFC, if they don't support your phone's OS, or if they actively went out of their way to block your android distribution: "go ask for another person's device then" https://www.digid.nl/stappenplan/id-check-toevoegen-aan-de-d...
While I agree EU is nothing like USSR, calling it a market economy is kind of questionable. It’s a bit of a hybrid, which companies allowed to market and sell on their own but with intense regulatory control over product design.
From USBC to ad supported business models, the EU has fairly tight control over how products are designed and monetized, in a way that I don’t think can be described as a pure market economy.
Note that I’m NOT saying their level of centralized control and government specification of product requirements is bad. It’s a legit trade off and there are arguments that some or all of it is enlightened. But it’s certainly not a place where you just build your product and ship it and let the market decide.
since when a market economy need to have no regulation?
Market economies are contrasted with planned economies, i.e. how prices are determined and production allocated, and the EU most decidedly is not that.
Well, obviously there are differences, but some overreaching and, I believe, unrealistic policies, such as the EU's climate policies, are somewhat reminiscent of the Soviet Union's central planning.
Russia is a one way step ahead here, with mandatory pre-installed apps, full-scale internet censorship (still catching up with China, though), mandatory DPI, etc.
Notably not the Netherlands. They've got the ID card chip (as required internationally iirc) but I emailed them once to get the public key so I can verify signatures (this was like 2016, I was still in school) and they said it was for governmental use only. It's not meant to be used by commercial entities
Why the EU decides to go with the bad example rather than the good example, I have no idea. Both ways achieve the stated goal of age verification and even the possible goal of universal ID tracking, without disallowing you to do whatever you want with your phone's privacy settings
this was the case in portugal too, although i don't know if it still is since gov apps have been pushed to the apple and google stores. edit: it should still work according to this https://www.autenticacao.gov.pt/cartao-cidadao/autenticacao
Gov app uses the "Chave Móvel Digital", which can be used in the browser, as well as in a variety of mobile apps. This CMD can also be used to digitally sign documents.
I believe it's still possible to use the physical card with a reader for many things.
I think some services still don't work with the CMD. Recently, I had to ask for changes to my car's document, and it seems it's only possible with the card itself. (https://www.automovelonline.mj.pt/AutoOnlineProd/)
It seems very reasonable to me for a first version of a system to only support the most popular platforms. Especially since this is open source, nothing stops enthusiasts to port the mechanisms to more niche platforms later.
Lets pretend the EU would mandate Desktop Support, we all know it will be only applied to Windows and Apple. Maybe for Linux, BSD it will never be applied.
In anycase we all know ways of bypassing this age verification will be found, probably by the kids themselves. But all this will do is enable US big tech, killing the very EU based companies the EU has been crying about for years.
Meta, Twitter, Google and M/S could not have created a better law to protect them then this law.
Kids will bypass any verification by secretly using an adult ID or just straight away asking them to do it.
Hell the crazy things I used to do to connect to the internet after my mother went to sleep. She didn't wanted me using the internet because of phone charges so I secretly got into the roof to strip the phone wire bare and connect my own hidden cable that I would unroll and route it to my room to connect to my modem at night. YES part of it was to watch porn and download mp3s and roms. No I wasn't of legal age. Did my life got ruined by this? Well I'm an IT engineer now so arrive at your own conclusion.
I think this current hysteric moral panic is definitely being pushed by a lobby of a nascent AI industry that wants to create a problem for their surveillance tech solution.
What a sovereign tech indeed, considered that both Android and iOS are USA flagship mobile OSes...
Beside that, as long as people do not realize that Desktops are for personal ownership and personal production while mobile are only for surveillance and consumption all digitization efforts will push those who knows toward something else, cryptos instead of legal tender money, self-hosted stuff and so on.
As a result at a given point in time population will be split in two main cohort: those who knows vs all the rest.
VPN will maybe work for porn but, as they say, "Age verification plays a crucial role across various scenarios, including access to online services, purchases of age-restricted products and claiming age-related benefits."
Yeah, all sorts of pointless crap. 7 years of updates, that's the iPhone X? Yeah I couldn't care less. USB-C? Don't care. I use wireless charging. If we could lose all of that in exchange for losing cookie banners I would take it in a heartbeat.
In another couple of decades the EU will be an irrelevant market as their population becomes even poorer. Then we can finally be free of their nonsense. The only risk is that the Eastern European countries become more prosperous than the Western European ones and prop up their influence.
Looking forward to this becoming the norm in the US at some point around the time I retire from the tech sector to go farm. I will take a nice boat ride into the ocean and throw my phone into a particulary deep spot.
A lot of people outraged by this but ultimately this is good news - the more flagrant & public the technical incompetence of the people putting together these idiotic systems, the easier mass push back will be to foment.
You don't only need the account, you need a phone that is locked down with hardware components and cryptographic keys that attest it hasn't been modified "unauthorizedly". Where the authority is not the device "owner" but Google, Apple, and the manufacturer
The account would be easy enough with fake data and a 10€ prepaid one-time-use phone number. Finding an exploit in Android such that you can turn off Google's tracking but not trigger their "you modified your device" scans (that are to be tied to your government identity verification continuing to work) is a game I'm not looking forward to playing.
At this point I think they very well do understand. Rocky times are ahead, TPTB know they're at risk if things get bad enough for the average denizen and they want to get in as much leverage against future dissidents as possible.
The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID originally, up to the current best practical technology. On Android, they judge that to be "keep the private key in the HSM and require a local biometric (or PIN) unlock to use it". This is why they argue that proving your age will not be possible without a mobile device.
You can prove your age anonymously, for anonymous account, which can be used on a non-mobile device. It's just that the proving the age part must happen from a mobile device.
À propos of more or less nothing: in the Swiss context, websites requesting the proof will be required to request the least information necessary for their need. They must NOT ask for your name, ID number, or birthdate if the question they are trying to answer is, "is this person old enough for our service?"
This is excellent technology, and the Swiss law on it that we are voting for next weekend is an excellent law, so I urge a OUI/JA/SI vote on it, if you're a Swiss citizen.
> The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID
Glancing at the thread, I don't see that conclusion. User 'sideeffect42' cites some laws and says
>> As I read this it nowhere says that the e-ID has to be bound to a device. It only speaks about binding it to its owner which (IANAL) could be implemented by password protection (like KeePass) as well, since only the owner knows the password.
Nobody seems to have replied to that
Alternatively, the software could just scan your ID card's chip when you need it, or whatever it is that it does for first-time-use verification anyway. It needs not require your phone is locked down, locking you out of any control over tracking, installed apps, or reading the phone's storage and network traffic to merely see what it tracks about you. The phone can simply act as an NFC reader so that your ID can sign a challenge with an "over 18" flag included within the signed data
And that's if you want ubiquitous age verification in the first place. I find that u/raincole made a good point here that outlandish implementations have successfully shifted the discussion away from the aspect of whether ID-based checks must be widely performed: https://news.ycombinator.com/item?id=45361883
> so I urge [to vote a certain way], if you're a Swiss citizen
Is this post genuinely trying to add something to the thread, or a way to promote your agenda?
- this project is just one implementation (POC if you want)
- they simply state the current scope of the project
For anyone sane managing projects it makes sense to correctly allocate resources that would cover the most people.
and to all those whining butthurt individuals here - reality check is that it's way more probable that someone has and uses a smartphone than a computer. go out of your tiny bubbles...
> At present the project is focused on mobile platforms, specifically Android and iOS, as they cover the vast majority of users and real-world use cases. (..) Desktop support is not currently within the project's scope.
This is the equivalent of a "Do you guys not have phones??"[1] but on a way larger scale.
At least where i live i am able to use the bare minimum of phones, even working with tech. The friction is increasing though, which worries me a lot, and day after day there is a new attempt to shove it down your throat if you want to be considered a member of society. Seeing that a lot of countries (including mine) are pushing for age verification, and the whole thing about Android blocking 'sideload', by the end of 2026 you won't be considered a human being without a government certified smartphone.
[1]: https://www.youtube.com/watch?v=ly10r6m_-n8
I do find it interesting that in an attempt to bring more people into modern society (via ability to access everything from an inexpensive smartphone), we're creating a stratification in society.
My brother hates tech more than me, and only has an old flip phone. I'm always surprised by the random problems he runs into as a result. Unresponsive desktop sites that beg you to download apps are the worst.
Another recent news about mandated app use: Ryanair now (from November) requires using their app for the boarding pass, no more printouts from the desktop. Also, they refuse to show the QR code for the boarding pass in a mobile browser via the website, you must use their app.
https://www.msn.com/en-ie/travel/news/ryanair-s-new-check-in...
This has been the same for most low cost airlines (e.g., Frontier, Spirit). To get a boarding pass without a mobile, customer must go to the counter, pay an additional fee and get the printed version.
A BIG reason these companies like Ryanair want you to use their app its that it's much easier to collect data about you than through a website :(
No, it's a cost cutting measure. App-only reduces support and development costs with whoever they're outsourcing this too.
There's a line item which basically said "mobile web" and they wanted it gone to save some number of dollars per year.
No, sending a pdf by email is no extra cost. They already have an email output interface for tickets and recipts and confirmations.
It's all about better tracking. I'm not quite sure what additional info they get exactly, but tons and tons of mobile websites (that work and don't get deleted) are close to unusable due to a barrage of popups telling you to use the app (e.g. Reddit and other socials).
Also there is no indication they will stop the mobile web version. Already today the mobile web version is there but it explicitly refuses to show the boarding pass QR code: https://i.redd.it/lj3wdnfp9mq91.jpg
As an SRE I can assure you that "sending a PDF by email" is far from free to support, and anything email is pretty much top of the list to eliminate.
It doesn't need to be by email. They can simply show it in the mobile website.
But they refuse to do so in order to get all that data which they can sell. In a mobile app it's way harder to run ad blockers and much easier to sneakily collect information on the user. Especially on android which is by far the biggest OS in the countries where Ryanair operates.
We (software agency) recently encountered this line of argument for the first time here in Germany.
It definitely reduces costs to swap 3 platform support to 2, but it still came as a kind of surprise to me. They (customer) poured years and seven digit figures into the web-based version which is now effectively going to be trashed. The current prod metrics are not supporting the 90% mobile thesis... I guess they just have high confidence that it will become true soon.
I'm wondering if these are the first signs of an age-based bias I have and the next generation just can't really imagine a majority of users using desktop PCs.
Ther's a line between "we don't support this platform" and actively making it hostile to try and use a platform. It may have even taken extra development time to make sure they can reject showing the QR code on a webpage, if their app is just serving that same web page.
Big difference between a private company mandating app use, and a government
I disagree. It's a tandem, and corporations and the government are increasingly welded together.
Also, I'm not too worried about the airport usecase as we're already being tracked and surveilled and inspected there as much as possible.
But it's another step to normalize and mandate phone and app use. The puzzle pieces are falling in place. Soon, AI could screen-capture your phone screen to detect suspicious activity, and track every tap you do, also taking pictures with the front-facing camera without you knowing, listening on the mic, etc. etc., connecting it all to your real identity. Because why not? If it's done step by step, nobody will care at all. Maybe that sounds pessimistic, but it looks like the end game and I see no principled political stance against it, nor any insurmountable technical hurdles.
> increasingly welded together
That's an insinuation with some vague truth to it, but not much. Budget airlines are not government departments, and competition between them isn't phony.
"The sky is blue" "I feel that it is increasingly yellow"
There's little competition pressure because consumers don't care. I guess the standard theory says that the buck ends there. If people are fine with it, it's fine.
Now you're talking! People suck, it's their fault.
There have been very few policies truly passed because "everyone wanted it". It always starts with some "radical" minority bringing the idea to light and then campaigning for it. Even if the thing is obvious.
The former happening would make so many things easier.
We'd do well with taking an honest stock of what allowed the formation of democracies and civil liberties, because likely it wasn't that average people longed for it so much that it happened. It's out of my weight class to pitch a grand narrative for this, but we've seen many forms of societies and governances and the current one (or from 20 years ago) won't be the last.
You are arguing there's little competition pressure between budget airlines, a business with notoriously razor thin margins which people shop almost exclusively on price to the exclusion of all other parameters?
This isn't a serious argument.
Only price pressure. No measurable number of consumers will choose a different airline due to their boarding pass app policy.
Functionally, I'm not sure I agree.
Ex - we already have plenty of cases where the government outsources payment processing to 3rd parties. What happens when that private 3rd party declares it's not accepting payments through anything except a mobile app?
Ticketmaster and their stupid app is another good example. As if I couldn't hate Ticketmaster any more I recently bought some tickets and learned about this idiocy.
I throw the tickets into my (digital) wallet and then don't think about the app until the next time I need to buy tickets. But that's not helpful if you don't have a phone.
I used to print paper tickets so I could get into a show if my phone died / got broken / etc. That doesn't happen often, to be sure, but I also don't want phone bullshit to keep me out of a show that, in the case of this recent one, I have >$500 in tickets for. One less dependency is a good thing.
More to the point, the app isn't for my convenience. It doesn't do anything to make my experience better.
And most wallet apps don't work if you install your own phone OS.
But what if my battery runs out?
They are verbose and vague about it: "Some passengers may be concerned about what they can do if they lose their phone or of their devices run out of battery before the pass board the aircraft. Ryanair has said they will assist people experiencing difficulties free of charge at the gate gathering their information and flight details which will be cross-checked and validated against the flight manifest so that they can board as normal."
Of course-- there will be accommodations to start out with. Then, after the new system has become "just the way things work," the accommodations will be removed for security or efficiency or some other reason.
Or maybe not. I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
Without endorsement of the behavior, here's a guy getting arrested for being argumentative about not having a boarding pass in the app, and being told he can't pay their 5 dollar boarding pass print fee with cash.
https://www.youtube.com/watch?v=0QwwPmHyuEA
Again, being argumentative like this never helps, but it will be you either go along with it, get escorted out or not fly in the first place.
The likely future is where you'll be given a USB-C charger to charge your phone. If you have no phone or is broken, it will be the equivalent to having a strongly damaged passport. No fly that day, get a new phone, fly on another date, just like if you needed a new passport. The phone will be your ID, passport, credit card and everything. But since it will be all backed up in Google/Apple/Microsoft cloud, maybe you'll be able to buy a new simple phone near the gate, log in via fingerprint and facial recognition and go on your merry way. But also, once all this stuff is connected up in the cloud, maybe facial and fingerprint recognition will be enough to fly. NFC chips under the skin are probably too bad optics for the near future, but in one or two generations, attitudes will shift.
> I've never lost a boarding pass, but if you lose one, you can get it re-issued somewhere, right?
Yes, typically there's a fee for getting it printed at the check-in counter.
What about Google Wallet? Or just a PDF from your email?
To me, that's getting bogged down in details. What matters is the intent and direction. Maybe you will have some workarounds for some time. But just as more and more places go cashless, it will also be paperless and mandatory app-based.
This is good I think because lack of verifications anywhere is good. So at least desktops will be free of it.
Worse: You just won't be able to use websites on desktop unless you pull out your phone and verify.
I hope the push for verification leads to the normies learning the ways of identity theft. The fun really ramps up once they figure out free money tricks.
But this will at least create a healthy pressure for competing options for users on desktops, likely based on novel secure protocols.
Most of the times the user prioritizes more convenient options over privacy. "Pressure for competing options" will mean that options compete for the most convenient way, not most secure or most private.
Sure, but the point is that the more convenient less-secure ways are going to be criminalized. Otherwise nobody would use the age verification app in the first place.
This is a great example of how this whole requirement hasn't been properly thought out.
> Desktop support is not currently within the project's scope.
What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
One can dream perhaps. Until then adults who are willing to 'do what they're told' will be the ones who are inconvenienced by this constantly.
Edit: Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
> Also this will completely disable any new phone OS' being developed. Why would anyone bother when you can't verify your wallet to do anything online.
This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
> you can't run your bank's app
I can log in to my bank account using my desktop PC
> government eID apps
I can sign into government websites using my desktop PC and its smart card reader and my government-issued eID smartcard. No smartphone needed.
Not in EU. Many banks mandate you either have an iPhone or Google approved Android as 2FA. Those fucking idiots have killed their own competition options.
While everyone took the opportunity to reply to you with "Not in my bank/country/to-my-awareness" This is what's happening in Portugal:
https://old.reddit.com/r/portugal/comments/1msc886/obriga%C3...
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
Edit: This is the landing page (one login left, oh dear...) https://files.catbox.moe/x117iy.png
rsync, here you go:
https://reports.exodus-privacy.eu.org/en/reports/652314/
You say "The bank"... does this mean Portugal only has one bank? If not, wouldn't this be a good reason so change banks? Maybe to a credit union (bank co-op) if they have those in Portugal as the members generally have much more of a say.
When I wrote "the bank" I meant, the bank in question, which is the one mentioned in the URL. Hope this makes it clearer for you.
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
[0] https://www.autenticacao.gov.pt/a-chave-movel-digital
> While everyone took the opportunity to reply to you with "Not in my bank/country/to-my-awareness" This is what's happening in Portugal:
Well yeah but that's what you get when you make overly broad statements like "not in the EU".
Can you expand on:
"It has interesting permissions as well ..." ?
I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.
I would be alarmed if it requested microphone or access to either contacts or photo storage ...
I updated the above comment. Cheers.
My bank (in the EU) has a fully functional website where I can identify myself using an offline 2fa device.
Spain provides smart cards to their citizens. Mobile is not needed.
My experience of using them is horrible.
Yes in EU. I'm in Spain and I sign up to several banks as well as government sites in my desktop PC.
That’s what competition is for. You can still swap banks over such nonsense.
Which banks? Which country? How do they check and enforce iPhone / Google wrt. 2FA? Are you referring to TOTP as 2FA?
All banks are required to have "safe" 2FA in the EU by EU regulation. SMS is banned.
Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.
>SMS is banned. Really? I didn't know that. Can you point me to a document that states that? I'd greatly appreciate it.
>SafetyNet or Play Integrity
A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.
I might take a look at it again tomorrow.
I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.
If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers
Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.
All of them now require some kind of 2FA, everywhere. This is due to a legal requirement on all EEA payment providers that they require 2FA for almost everything since 2020, including accessing your account on their website: https://en.wikipedia.org/wiki/Strong_customer_authentication
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
It feels like "gold-plating" of regulations is and always has been a significant problem in the EU.
Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.
Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.
Of course in the EU - pretty much all Baltic and Nordic countries support id cards connected via usb
Well not in Germany. Some banks accept their branded authenticators, some of them don't.
ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.
DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.
N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.
The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.
So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
> So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.
My German bank started to require an Android or IOS smartphone [0]. No dedicated HW, no desktop. I actually dumped my well working Xiaomi Phone because it was either security or banking.
[0] https://www.1822direkt.de/service/fragen-und-antworten/detai...
I actually considered switching to 1822direkt last year. No more!
Nope, Sweden requires Mobile BankID on iOS or Android for example.
BankID has a desktop version, and no site which requires Mobile BankID would not allow you to also use the desktop version.
But it doesn't support Linux.
Likewise in Sweden. No bank that I’m aware of is limited to require mobile only login.
Some neobanks are limited to mobile-only. The OP's statement was too general. It's also true that some regular banks are phasing out 2FA via SMS, which is outdated per EU regulations, and may not easily offer alternatives to their app for 2FA codes.
>Not in EU.
Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.
Well in Sweden we can't. You already need bankid on your phone to log in on your PC. There used to be a bankid desktop app and dedicated hardware, but that's gone from many sites now
For now, there is an increasing number of banks and government websites that are broken if you are not using Chrome or full on requires it.
This has been true since it stopped being true for Internet Explorer. I've not noticed any significant change over time. I have been using Firefox for over 20 years.
True. But it doesn't _need_ to be so, it's actually a problem.
> This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
Fairphone 6 with e/OS begs to differ. Dutch phone with a French OS. No issues.
well, my bank's app does not run on /e/OS. i get some kind of security error
True, but there are alternatives to using these services, though a bit more inconvenient. What will be the alternative to the age verification mobile app?
Back when Microsoft said they were going to let Android apps run on Windows before killing it off for I think the third time, I was excited that I'd be able to run my bank app on my desktop. The app is a simple process to login, but the website has about 50 steps to login making it unappealing to use (probably on purpose).
You can, aith Windows subsystem for Android. Unsurprisingly, it's not going to be supported for much longer.
I get that it wouldn't be optimal but can you run it on an android emulator?
This read more like "we thought pc was a dead relic of the past" sadly
To me it reads that, since many people already believe this is more about tracking than safety, they are focusing on a device which is the perfect surveillance system, and which conveniently already accounts for 7+ hours of many peoples daily computer/internet interaction.
A desktop computer doesn't necessarily have a microphone or camera, and doesn't necessarily have to be connected to the internet. I'd wager most crime, including that which affects children is done on "disconnected devices" in this sense.
you could pretty much replace the statement with "General purpose computing considered harmful"
> "General purpose computing considered harmful"
Even though it sounds like _you_ probably know this, Cory Doctorow has been sounding this alarm for years. As usual, it seems he was right about the possibility of this being a legitimate battlefront in the (actual, non-hyperbolic) war on freedom.
or user 'having free will is problematic and unsafe' if we want to go even deeper :(
I think it's more that smartphones have built in security measures that prevent hacking. It already works for bank apps, so why not use it for government stuff too?
It sucks, yes, but that's probably how these people think.
but if age verification is used for what it claims it is such hacking protections are not only unnecessary but fundamentally harmful (i.e. if a child hacks their PC it's fine if they circumvent age verification, the main responsibility still lies with parents and as such tools like parent controls are much more relevant)
the main reason is that this is not a reference implementations or "this is the app everyone must use" case but a "to see what is technical possible/practical" "research/POV" project
this also makes the "EU age verification app" title quite misleading
> I think it's more that smartphones have built in security measures that prevent hacking.
Which is a joke when you know that most phones in the wild are using an obsolete OS version (most of the time due to lack of software support from the manufacturer, but sometimes because some people just refuse to update because updates are in fact downgrades — looking at you iOS).
Well, looking around I see more people using smartphones for anything and even not having a PC…
I've seen this as well. It's getting increasingly normal, but I cannot imagine doing the same myself.
There's a much bigger likelihood of me going back to a feature-phone, compared to me starting to use my phone for anything but the absolute basics.
I used to use a feature phone and I genuinely didn't miss any of the same things.
my commute is a really long ride and I just don't like using my phone in it.
My dumb phone had music system and sd card (I finally managed to have that sd card fixed after an year of using that dumbphone without even an sd card for music)
I just used to stare into nothingness / surrounding and think. (Yes I have edited it because I didn't used to think, I used to overthink just as I am doing right now lol)
Not that productive, but my current phone is so slow that I can't even tell you guys or start telling you. It takes me 1/2 a minute just to unlock it and the only thing its truly good at is having a music player run and some occasional hackernews or pokemon showdown or youtube scrolling.
But tbh, I don't have any banking apps etc. so to me there isn't thaaat much of a difference. I feel like a macbook is genuinely nice as it has that less friction and a pc is great too as compared to a phone for the most part when I am at home.
My screentime is usually just some shorts that I occassionaly watch on phone when I am extremelyyy bored.
I am sad that my dumb phone was in my bag one day and then it just stopped (working??) , I swear I kinda regret having my dad's old phone. I am not sure how he was even using it.
Same, but I also have other quirks and that doesn't mean this is TheTrueWay and everyone should adapt to it :)
Smartphones are a lot more portable than desktop PCs or even laptops. Unless you enter everyone's home to take an inventory of their devices, it stands to reason that you're going to see more smartphones than anything else by just looking around.
Sure, but computers are a lot more capable. Even for just scrolling sites, a desktop computer is a superior experience.
The vast majority of those people are never going to know the freedom and power afforded by using a general purpose computer you actually control.
The "war on general purpose computing" need only be the waiting-out for those of us who remember actually owning a computer to die.
But as long as there are still people using desktop computers, removing access from them is an overreach and makes these ideas totally undemocratic. I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.
The only eventuality where this is acceptable is when desktop computers won't even be gated, and then if anyone can circumvent the problem with a computer, why is anyone even bothering with the whole thing...
Are they?
Again - this is only just one of the possible implementations of https://ageverification.dev/Technical%20Specification/archit...
It's possible to have others but as POC they are focusing on covering the biggest chunk of the population…
> I am frankly baffled that an organization having the principles and know-how of the EU can even think of gating access to information with something so slipshod.
That doesn't surprise me at all. Principles in a government body don't exist. They are all crooks.
It doesn't surprise me either, because I'd never be able to use a phrase like "the principles and know-how of the EU" with a straight face. (To be fair, you could replace "the EU" with almost any large bureaucracy.)
Sure. But the EU is not just your average bureaucracy. It's an entity that has as one of it's specific goals the following[1]:
> combat social exclusion and discrimination
[1] https://european-union.europa.eu/principles-countries-histor...
Any large bureaucracy has similarly lofty official goals
I understand we're all old and cynical here, but one of the tenets of discussions on HN would be to take someone's arguments at face value, so I prefer to believe that the EU as an organization actually wants to diminish social exclusion and discrimination. I'm not sure if I'd give the same credit to any other capitalist entity, but the EU does not have the implicit goal of increasing revenue for its shareholders to subvert any of the others stated.
Lots of countries have has similar goals and lofty promises in its constitution.
I take your argument at face value (in that I take it that you believe the EU has that goal at some level). I just to not expect it, as an organisation, to consistently promote that goal (for much the same reasons lots of countries fail to serve their citizens).
Profit making businesses have the explicit goal of making shareholders better off. Management usually choose to balance this against other goals (ethics, the good of wider society, their own interests...), just as the EU has the explicit aim you state, but, similarly, has other conflicting aims.
“They are all crooks” is the motto of another kind of personal corruption: the kind where people abdicate any responsibility to detail or distinction for the sheer indulgence of moral posture without any of the work.
Every time someone says “they’re all crooks” they are the enablers of crooks. The crooks couldn’t do it without people like that.
> This is a great example of how this whole requirement hasn't been properly thought out.
I think this is more an example of you misunderstanding the desires of the people pushing for this.
They want to actually ban this content, they just know that is a harder sell than restricting to adults. So for them, making it harder or impossible to access the content is a feature, not a bug.
Or rather: "You will need a smartphone to use this desktop app".
> oes that mean we will see a return of the 'desktop applications'...?
No. It's still required by law, which means that your desktop application will require some interaction with your smartphone.
Further forcing everybody to have their phone on person at all times
And as a prerequisite enforcing dependency on titanic (and in my case foreign) tech companies that are free to unilaterally ban you from communicating with your government. This is a BAD idea.
Depending on the implementation, you can run the app on your computer. I don't see why the iOS app wouldn't work on macOS, and there are tons of tools to run Android apps on Windows and Linux.
If the actual implementations do copy the dependency on Play Integrity and other such APIs, that does become a problem (getting past that is a major annoyance on amd64 computers because there are so few real amd64 Android devices that can be spoofed).
However, the law regarding these apps specifically states that the use of this app must be optional. I'm not sure websites and services will implement other solutions, but in theory you should not need a phone unless you want the convenience and privacy factor of app verification. I expect alternatives (such as 1 cent payments with credit cards in your name) to stick around, at least until we get a better idea about how this thing will work out in practice.
Waydroid on linux comes to mind. It sort of semi worked out of the box on archlinux but I can't try to imagine setting up somewhere else..
Wait a minute, while writing this comment, I realized that there was a guy who sort of packaged waydroid into flatpak-ish to run android apps in flatpak.
https://flathub.org/en/apps/net.newpipe.NewPipe
(It uses android translation layer??)
I am not an EU citizen but if somebody is & they want this age verification app on desktop, maybe the best way might be to support this android translation layer to convert this EU app into something that can run through flatpak and then use linux I suppose.
I mean, some of y'all are so talented that I feel like surely someone would do it if things do go this way! So not too much to be worried about I suppose :>
I've been saying this for years: eventually not having your phone on you and powered up at all times will not be a crime, but it will be grounds for questioning and search.
One day, there will be a knock on your door.
"Good morning, this is the police. Is there something wrong with your phone? Is your phone broken? Can we provide you with a charge?"
"No, I must have turned it off accidentally."
"Can we assist you with an upgrade? The newer models don't have power buttons."
According to Mallen Baker, this is already happening in 9 countries. https://youtu.be/0zlDVM1x8P4?t=228
I think you're exactly right, and the groundwork is being laid today by the standards society is setting for everybody. People will assume a lack of phone or the presence of a phone but lack of usage / content on it, makes you guilty of some sort of crime similar to owning a burner phone.
Tell somebody you use your phone less than 10 minutes a day and look at their face change.
> Tell somebody you use your phone less than 10 minutes a day and look at their face change.
While not less than 10 minutes per day for me, but I was having this argument on reddit over the iPhone Air - people couldn't fathom that there's someone out there that is not on their phone 24/7, and doesn't use their phone as their main computing device.
I clock in at under an hour screen time most days. It's the least ergonomic device for me to do anything remotely serious. Can't even stand typing on a virtual keyboard. My laptop is, and will remain, my main interface to the net and communication with others.
You'd think I was some kind of weird hermit luddite because of it.
Black Mirror "The entire history of you" now in mobile app version.
The Pedestrian: https://xpressenglish.com/wp-content/uploads/Stories/The-Ped...
So... 1984?
What does seem to be happening is rather that the assumption of having a phone will be built into every little thing - in particular mobile payments are becoming mandatory in some places. Transportation including parking is sometimes locked behind an app. We could also see stuff like landlords moving to smart locks that a tenant open with their phone.
Since children are universally not considered real people with real rights schools requiring them to have the right apps to perform their schoolwork are to be expected.
My EU country allows tapping the ID card on a NFC reader on PC for verification. No smartphone needed for desktop use.
Why wouldn't that be sufficient?
Don't worry, that feature will inevitably be phased out because only a small percentage of people use it.
Every new secure government identification/authentication/verification thing will try to 'just' use Android/IOS, because 'everyone' has one those smartphones.
Most PCs don't have NFC readers.
Cool, but that's the fallback they offer for folks who can't use the mobile app and it works just fine.
No reason that couldn't change. China should give good bulk discounts on 300M units /s
The wallet app can be started using a QR code. You can then finish the verification on your phone and continue on the desktop website/app/whatever.
What if you don't have a phone? Or what if your phone runs a custom rom and can't pass google's attlestation?
"Google, google everywhere. It's attestation is gonna be a nightmare."
Idk I created this just right now lol.
But on a serious note, Maybe check out my comment on something known as the android_translation_layer with flatpak to see if that might help to run that app atleast in linux.
Linking it here : https://news.ycombinator.com/item?id=45361397
Then you can't use this method of identification, just like you can't use it now. Surely it won't be the only way to identify yourself online. If this provides a frictionless way to do this for 95% of people then it's already a huge win.
Don't let perfect be the enemy of good.
No, this is worse because it solidifies Apple/Google's duopoly over the smart phone market even more than it already is.
Not only that, but having this locked behind something that works for 95% of users means the other 5% will never have enough leverage for any other implementations to be approved. Which is absolutely unacceptable for such an essential feature like age verification.
Why can't we continue with an open web standard? We should have complete interoperability regardless of whether I'm using a google smartphone or a custom os I wrote in my garage or bsd or nixos. That is the entire point of web standards: to create the ability to communicate with one-another regardless of system design, so long as standards are properly implemented.
This is a general computing crisis.
The requirement for age id is already stupid.
The target, which are the children who access "forbidden" websites without authorization is likely to be lower than amount of people who won't be able to access due to those narrow specs.
If you don't have a phone, you cannot create a new Google or Vk (social network) account today. I expect there will be more things you won't be able to do if you don't want to leak your information.
This is plain stupid. Countries (e.g. where I live) already have systems like SPID or CIE that can authenticate users using a multitude of factors, for example I can authenticate myself with a QR and a phone, or I can not even have a phone at all and have a 20 euros NFC reader connected to the PC and can authenticate using my digital document and a PIN.
I see this as a huge stepback to be fair.
How can I do this when I don't have a phone?
Don't you people have phones?
Edit: Sorry that reference was a deep cut, I was quoting the devs of that awful Diablo mobile game way back.
No? I had been with dumb phone for almost a year from like 2024-25? What point are you trying to make as I think that there are some good dumb phones in the market which even support things like signal.
I used to use the messaging app through SMS tho, the people that knew me (that 1 friend gets a shoutout here who used to msg me through SMS in the world of whatsapp and my mom!!)
Most phones are used for two things that my father used to quote: Whatsapp (messaging app) and youtube(social media)
Entertainment could somewhat be offloaded via music player etc. into dumb phones and to be really honest, I think that even things like hackernews could be operated on those dumb phones if given the ability to.
https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the dumbphone which supports signal btw. Wish there was a way to make app for dumbphones like these just as how we can make apps for androids.
I was shocked by how much feature packed my chinese dumb phone was for 11.27$ lol. It just didn't have internet & yeah games as well.
A phone isn't enough, you need an Apple or Google account as well. So if your Google account gets banned, you might as well just jump of a bridge because it's over for you.
That is easy to solve though. If Apple/Google become essentially an utility, they are legally mandated to provide an account for any EU citizen =)
For what it's worth, I chortled.
App not available doesn't mean age verification not required. You can be required to confirm your account from your mobile phone or scan some QR code on mobile that will take you to age verification session and once completed you can continue from the desktop.
I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
>I mean, otherwise would be like not being bound to speed limits if you don't have a speedometer.
That only works in a world in which the government provides speedometers, which restrict the vehicle automatically, and in this case they refuse to provide them at all for blue cars.
So a loss of mobile phone will mean loss of everything? Maybe we should just kill people if they lose a portable mobile device which can just stop working by itself? I fully expect there to be some idiotic scenarios where to get x, you need to already have x.
Be as much work as possible in all places, where the default option is to do something with your mobile phone. If enough people do that, then the alternative to using your phone will need to have good process, so that it is not holding up everyone else.
If something doesn't work without your phone, report it being broken. If they tell you to use your phone, tell them you don't have one. If possible, leave their service, if they don't care.
We have to make it their issue as much as possible, when they try to push their shit onto us.
Surprisingly often there is a workable alternative to using ones smart phone. We have to make use of those as much as possible, so that the cost for them to get rid of those options will be high and they think twice before doing that and offending us.
They will terrorize us like that and then, they will use implanted chips. One primary one backup. It is extremely rare to lose both. Possibly the primary will be in your head.
Why would loss of a mobile phone be that dramatic? Go buy a new one? Having the equipment in something that requires an equipment is pretty reasonable when the price range is within the reach of everybody.
Just wait until kids figure out you can run an emulator for an older desktop platform on a modern phone with ease
> What I would like to take from this is that, by their own definition, desktop apps are out of scope for Age Verification. So does that mean we will see a return of the 'desktop applications' instead of everything being a web service ?
I doubt it unless something odd happens like triggering some reaction. They’ve looked at the data and see the majority of society using “phones”, which are really just increasingly small computers that happen to have a feature to also make calls; and they’ve decided that this trap they’re leading us all into can and may even need to stay open and inviting for a while anyways until the older people die off and desktop form factors kind of fall by the wayside, before the trap is even ready to be sprung. In the mean time they’ll just gaslight and lie about what they’re doing, to save and protect the children of course, until the day that you tune around from a distraction and the trap door is shut behind you.
It’s the same MO as always, with the gullible and naive enablers being essentially the worse threat than the actual perpetrators.
I've posted this as a response but I'll post it again since it seems like a lot of people are confused about the project:
This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).
The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.
If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
Thanks for chiming in! Is there some documentation on the Zero-Knowledge-Proof, that this app is supposed to use?
See https://github.com/google/longfellow-zk
I don't know the specific ZKP variant if that's what you mean, but the general architecture of the system is best described in the 38C3 talk from earlier this year: https://www.youtube.com/watch?v=PKtklN8mOo0
There are some choices that are debatable (more on the issuer side iirc), but imho for the goals it has it's a competently made architecture.
> a lot of people are confused about the project
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
[1] https://news.ycombinator.com/item?id=44458323
> This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard ECDSA..
The repository we're commenting on has the following in the spec[0]: "A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP)". So given that the current spec is not in use, this seems incorrect.
> It will also be trivial to circumvent
If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug. The statement required should be scaled to the application it's used for; this is "over-asking" is considered in the law[1].
> The project is supposed to prove that age verification is viable, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better.
I agree that in it's current state it is effectively unusable due to the ZKPs being omitted.
[0]: https://github.com/eu-digital-identity-wallet/av-doc-technic... [1]: https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375
> So given that the current spec is not in use, this seems incorrect.
No, that's not what they mean. They just mean that the spec (and for now only the spec, not the implementation) will be amended with an experimental feature, while the implementation will not (yet).
I understand (?) that you are interpreting this as: "we'll later document something that we've already implemented", but this is not the case. That isn't how this project operates, and I'm intimately familiar with the codebase so I'm completely certain they haven't implemented this at all. There is no beginning or even a stub for this feature to land, which is problematic, as an unlinkable signature scheme isn't just a drop-in replacement, but requires careful design. Hence privacy by design.
> If you have a key with the attribute of course you can 'bypass' it, I don't think that's bug.
Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
So as we already know that the solution will be trivial to circumvent, it shouldn't be released without at least very clearly and publicly announcing it's limitations. Only if such expectations are correctly set, we have a chance not to end up in a cycle where the open source and privacy story will be abandoned in the name of security.
[1] Because of the linkable signature scheme in principle misuse can be detected by issuers, but this would be in direct contradiction with their privacy claims (namely that the issuer pinky promises not to record any issued credentials or signatures).
> Anyone of age can make an anonymous age attribute faucet [1] for anyone to use. That it's not technically a bug doesn't make it any less trivial to circumvent. I wouldn't expect the public or even the Commission to make such a distinction. They'll clamor that the solution is broken and that it must be fixed, and at that point I expect the obfuscation and weakening of privacy features to start.
I can see this argument, but it has a few caveats:
- The 'faucet', providing infinite key material in an open proxy is also very vulnerable
- If the only attribute is age verification then uniqueness is not required; i.e. you can borrow the key of someone you trust and that should be fine.
- The unlinkability is a requirement from the law itself, i.e. the current implementation cannot be executed upon assuming rule of law holds
> This project is not THE digital wallet, it is the wallet
...what?
GP has edited the comment to make more sense
This is hardware attestation in a nutshell: a double edged sword, and a sharp one at that.
The biggest issue is that the attestation hardware and the application client is the same device with the same manufacturer, who also happens to have a slight conflict of interest between monetizing customers and preserving any sort of privacy.
IMHO the pro-attestation forces are so overwhelming that we should all cherish the moment while we have anything open left.
My understanding of the "double edged sword" idiom is that the tool has both downsides and upsides. What are the upsides to restricting what I can do with the hardware I paid for?
Revenue for the device manufacturer for licensing sales in their walled garden "store".
Since Apple and Google are public companies I guess we should all buy stock and reap the financial rewards of destroying computing freedom. >sigh<
The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
That seems completely contrary to the spirit of EU laws and regulations, which tend to be about protecting the consumer, preventing monopolies, ensuring people can generally live their lives where all things that are mandatory are owned and ran by the state and foster a certain degree of EU independence, with a recent focus on "digital sovereignty".
This one is a five for one against all of those goals? Harms the customer (you could see this as the polar opposite of GDPR), strengthens entrenched monopolies, force citizens to be serfs of one of two private corporations in order to access information, and on top of that, like it wasn't enough, willingly capitulates to the US as the arbitrates of who is a valid person or not.
This is so against the spirit of the EU itself that it would almost be funny if people weren't serious.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Please (kindly) ask Paolo De Rosa [1], Policy Officer at the European Commission and driver of many of the decisions behind the wallet and the ARF. His position is one of fatalism: that it's "too late"; the duopoly of Goople is entrenched, and it's therefore not a problem if the wallet project entrenches it even further. Regrettably quite a lot of member states agree, although representatives of France and Germany specifically are frequently standing up to the fatalism.
[1] https://github.com/paolo-de-rosa
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because the EU doesn't actually care about privacy, otherwise they wouldn't be trying to do this and ChatControl. They care about being the main ones to spy on you, and maybe using fines as additional "taxes" on rich foreign companies. That's it.
The app this discussion is about is a reference implementation that is part of a long-term process for building a digital identity app. Specifically, this discussion is about the age verification part of the app, which is the first part expected to be finished but is also only a small part of a much wider ideal.
Europe's dependence on American tech is a major pain point but realistically, there are only two smartphone vendors. If a European vendor does rise up, I'm sure whatever app comes out of this process will happily hook into the hardware attestation API for that OS as well.
https://github.com/eu-digital-identity-wallet
This "identity wallet" is such a hostile idea, require identification for everything instead of thinking about how to remove identification (for example, allow anonymous banking, traveling).
Wait until you find out that in some places in the EU it's a crime to not carry a physical ID on your person when you leave the house.
But you could do attestation on GrapheneOS, no need to require the users to have Google spyware preinstalled. Google is abusing its position here, attestation should be to verify the security model, not Google's business model..
Attestation is fundamentally incompatible with software freedom.
When scoped to attest the full software stack down to the kernel, yes, because it takes control away from the general purpose computing device that the user supposedly owns. I don't however have a problem with attestation scoped to dedicated hardware security devices such as Yubi Keys.
And if such dedicated hardware is ever required by the law, the manufacturer should be prohibited from bundling any business-related functionality there (such as displaying ads) that can't be turned off without breaking the certification.
Google's ad business model should never be mandated by law, unfortunately lawmakers seem to be unaware that this is what requiring Play Integrity effectively means.
Yes, and remote attestation should be illegal on any general purpose computing device, for some reasonable definition of what that is. General purpose computing should be a human right, in particular the right to change the software running on devices that you own.
Take any group of a hundred tech people (devs, analysts, architects, etc.), and 95 of them will do everything with their stock Android or IOS smartphone. Maybe 3 will consciously limit their use of that device, and the remaining 2 reluctantly use something sane like GrapheneOS. Those two might pipe up and take a stand for people without smartphones (which includes a very varied swath of people, from Luddites to people with disabilities), but they'll get drowned out by sighs, sheepish looks, and the chorus of 'let's just start with those two smartphone OSes, and if after a year or two people still really need something else, a new project can be started to address that'.
It's not an insane question, it just doesn't get asked.
> The insane question here is, why would the EU mandate hardware attestation controlled by two private American companies in order to access services?
Because this is being pushed by lobbyists to use hardware attestation to make it piratically mandatory for every citizen in the EU to be registered to either Apple or Google with a real id for all non-trivial online interactions at all times. The people behind this push neither have the technical knowledge nor care in the slightest that this is the consequence.
>piratically mandatory
I am stealing this typo.
Do you believe they care for EU? The driving forces are other.
This could be a boon to all sorts of new kind of hardware though (wishful-thinking mode)
How does private access token (PAT) compromise privacy in the name of monetization?
Well, in the end there may only be one thing left we can collectively do, but which we surely won't collectively do, because too many of us are way too comfortable to accept any discomforts: We can avoid using services implementing shit, so that any business that singles out desktop users or disadvantages them, doesn't have much of a customer base. Voting with out feet.
I have very little hope, that the common user will make use of their own agency avoiding a dystopia, or even think about issues associated with their behavior. We can see this everywhere even today. The majority of people are clueless and just accept whatever bone is thrown their way. Need to buy a new phone every year now? OK. Pressured to accept digital surveillance by not even state agencies but private profit oriented companies, that want to sell your data or use it for nefarious purposes? OK. Giving all your communication data to big tech? OK. ... It is all just a big "auto-accept any digital rape" for most people, as they don't even want to think about the technical implications and implications for society. It's all so far above their technological understanding, that they just exit the bus, when it comes to discussing these things. That is the problem we face. How to make the normal person aware and interested in their own digital rights.
Depressingly this feels like a long lost battle. I suspect internet freedoms will continue to be eroded and by the time most people care enough it’ll be too late.
My optimistic brain is hopeful for federated services to become the norm and stand up to this kind of crap.
I fear it is already too late, thanks to the phone duopoly and bulletproof secure boot environments. The EU can now make remote attestation mandatory by law.
We have to assume this is only the first step. The next step will be mandatory identity attestation for everything and your only choices will be to either accept it or not use any services at all.
Unless you can show a direct cause-and-effect relationship from clicking OK on some form to something negative happening in their real life that impacts them in actual physical real life, a real event at a particular time that they can observe with their eyes that relates to their real life (family, job, social life, going about their day), most people won't care. Otherwise it all blurs to some abstract words and theoretical tinfoil-like worries about the "government" and ufos and sovereign citizens.
I finally took a look at the DSA, and it only mentions anything relevant to age verification in three places:
- Recital 71, which vaguely suggests minors' privacy and security should be extra-protected, but says that services shouldn't process extra personal data to identify them.
- Article 28, which says that platforms should provide a high level of "privacy, safety, and security of minors", again without processing extra personal data to identify them. It also says that the Commision may "issue guidelines", but says nothing suggesting age verification should be implemented.
- Article 35, which says that "large online platforms" should maybe implement age verification.
Furthermore, recital 57 says that the regulations for online platforms shouldn't apply to micro/small enterprises (which has a definition somewhere). All together, I don't see anything suggesting that anyone but the largest online services is being forced to implement age verification right now.
Judging by various posts by the Commision I've seen online, they're certainly pushing for the situation to be seen this way, but de iure, that's currently not happening.
EDIT: I found the guidelines mentioned [0], and a nice commentary on the age verification parts [1].
[0]: https://digital-strategy.ec.europa.eu/en/library/commission-... [1]: https://dsa-observatory.eu/2025/07/31/do-the-dsa-guidelines-...
The digital identity wallet isn't part of the DSA; it is part of an effort to bring identity to your phone, basically: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
If implemented according to plan, things like ID cards, drivers' licenses, diplomas, train tickets, and even payment control can be handled within such apps entirely digitally. Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
A healthy dose of cynicism would make clear that the moment such optional infrastructure is rolled out, new legislation can be drafted to "save on expenses" by enforcing this digital model and "protect the kids/fight the terrorists" by forcing age verification on more businesses.
> Aside from age verification, with attribute based authentication you can prove digitally that you're permitted to drive a certain vehicle without revealing your social security number (equivalent).
That doesn't make sense because the government knows about every vehicle and its owner and his social security number and there is no point to hide it. I think you misunderstood something or I misunderstood your comment.
The goal of "bringing identity to your phone" is making identification easier to require it in more cases so that the government knows better what its citizens do. One thing if you are required to fill a 20 fields form to buy a bicycle and another thing if you need just to tap your phone at the cash register.
> can be handled within such apps entirely digitally.
_Can_ be handled? So you could still just use traditional physical, paper IDs?
Yes, but this isn't part of the digital wallet project. As I understand it, the Commision was so impatient with age-verification that they commissioned this project separately, because they didn't want to wait for the full solution, hence it being called a "mini-ID wallet".
I'm certainly not against vigilance and making sure no new laws mandating the use of either this or the full digital wallet sneak through, but my point is that, despite the Commision's misleading public stance, age verification is (mostly) not mandatory today.
That's true, but as this is only a small part of the larger project, it's also targeting a very specific part of legislation.
The README for the age verification spec specifically calls out article 28 of the DSA and the Louvain-la-Neuve Declaration. Neither is aiming to be the mandated age verification mechanism for every single website, but rather a specific tool to solve a specific problem: age limits on social media and big tech websites.
If, or, seeing Denmark's recent bullshit: when, we do get mandatory age requirements, it'll be part of new legislation that will likely take years to go into effect, and, seeing how long it took websites to comply with the GDPR, will start affecting most websites even later. This isn't the doomsday law that I would've expected to come from the US if they were to write something like this, and using privacy-first cryptography does give me some faint hope that this isn't just a big performance to hide malicious intent. This could've been as bad as eIDAS 2.0 with the QACs and other unreasonable technical requirements.
I think the title "EU age verification app not planning desktop support" is misleading because it gives the impression that there will be no way to support EU age verification on the desktop.
This is addressed in the comments:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
So I think a better title might be "EU age verification example app not planning desktop support"
(don't get me wrong, I'm not a fan of how this is implemented, but it's important to be accurate in our critique)
Tin foil hat time: this is why Google is pushing to kill app sideloading.
Mobile phones are the only platform at the moment that can reasonably be used to enforce mandatory software installs and remote attestation. Removing sideloading can down the road leading to Google (or Apple for IOS) forcing all app store provided apps/browsers to support government authentication APIs like this.
Google is gung-ho on embracing every kind of identification law because it aligns with their business model. They sell ads therefore it is important that humans are authenticated. Other social media companies like X have similar incentives.
"This makes the web unusable for anyone who wants to browse the web privately."
This is not an accident. This is intent. Look at the arrests for social media posts in the UK and Germany.
And Hungary
https://www.euronews.com/my-europe/2020/05/14/hungary-critic...
Denmark has a digital ID service for its citizens called MitID which includes a 2FA system that can involve a smartphone app, but not necessarily. Citizens can request a code display device if they prefer not to use an app. There are also audio code readers for people with impaired vision.
The system works really well and it’s very convenient.
This is outrageous and doesn't make sense
It makes total sense. The whole point is to punish self-respecting people who use freedom preserving operating systems and treat them as second class citizens.
See: https://news.ycombinator.com/item?id=44704645
Depends on whom you ask. Google introducing the developer verification and sideloading on iOS being even bigger hurdle, they want to stay in control on what you use and they want to make sure you don't have possibility to use anything they explicitly permit. Normal desktop is unfortunately too open for that. Discourage people to use desktops and make rely on controlled gardens even more.
what if i were to buy a linux phone? it's not even about desktop support, it's about supporting iOS or android and nothing else which is really bad
Most of what the EU does these days is (knowingly or not) freezing the current status quo regarding the tech world. It’s depressing.
And Europeans are either too passive, too ignorant or too focused on the wrong issues.
This post is misleading.
The project is just an example.
It does not mean there will not be support for other ways of verification.
Arguing with some random developer contracted by European Commission to make example code for mobile devices is not a political solution
Exactly
It also doesn't mean that there will, and it is a strong indication that there won't.
Only available on Android and ios, only installable from Google and Apple App stores (in practice now, but completely when Google tightens control). So much for digital sovereignty.
It's more then reliance on smartphones, it is reliance on people having a Google or apple account to actually download the app.
That's a large factor worse. The digital identity wallet has as one of its spear points privacy, but it forces you to have that big tech privacy slaying account.
It's a privacy tying sale.
The much bigger issue is that it's the first time when you're required by law to install government software on your devices. It's breaching your private space and it's immoral and wrong. Private spaces, including digital, should be protected from government by constitutional law.
> the first time you're required by law to install government software on your devices
If it were only that. We could sandbox it, deny it permissions it doesn't need, or inspect what it does. All fine and dandy.
No, it's the first time a democratic government requires you to carry a 5G video recorder that you can't turn off short of smashing it to pieces if the manufacturer is ordered to make it so. But then you can't do half the things a normal person can do so you won't smash it to pieces if you don't have evidence it's currently acting as a bug.
The EU software tries to detect when you put it in a sandbox or when you merely try to inspect what it's doing. Attach a debugger and it'll refuse to verify your age to social media so you can't use that anymore. Install an open source OS on your phone and you can't so much as legally obtain your own government's software in the first place.
I wonder how this aligns with EU's accessibility act. Covering "the vast majority of users and real-world use cases" isn't really enough based on EU's own regulation.
Smart move, no sense making an app to tell you all us desktop users are old.
This is insane. USA is already pushing sanctions against Europeans via US companies (e.g. Microsoft revoking ICC accounts), and now they are about to tie basic functioning in the society to two US megacorporations. At the very least this will solidify the duopoly.
At this point I don't find it impossible that critics or other "enemies" of US (or Israel) in Europe will get their phones bricked as sanctions, and as a result become second class citizens.
I don't even see the necessity for having hardware attestation. We've had for decades online ID systems that can you can run on any device with an internet connection.
But think of the children, right?
Tangentially, I would love to be able to see the age of everyone on the internet. IRL this gives us so much context when having an interaction.
I can't find which document it was specifically, but I seem to remember that the hackers' ethos always been that it doesn't matter who you are, what your title is or skin looks like, but that your arguments are to be valued by its merit rather than by who says it. Age seems like another one of these properties you are stuck with
I agree with that, I'm not arguing for discrediting arguments by age and ask for authority of the elders or something of that sort. Age provides context, it's helpful with facilitating the conversation in a healthier manner. Just the other day I was having an intense argument with someone on reddit, at some point it occurred to me that they don't understand because they are too young(checked the profile, definitely some kid trying to have an opinion on grown up stuff) and my words don't ring a thing in their head. Instead of being angry for them being too stupid to understand, I decided that they are not stupid or bad people but just too young. I was at that age some time ago and I knew how it feels, so left them alone. They will understand when they understand.
This is because words actually don't carry much meaning, they invoke something that the other side understands already. For example, it's very hard to have a conversation about some aspects of a relation of 40 y/o people if the other party is in their 20s. You need to relate with something of their age and build it up and even then its likely they will understand it completely the wrong way. Over the years people evolve, they go over stuff and when you meet someone who hasn't been through the process you need to be aware of that otherwise you will mistake them for stupid(because, not everyone who ages ends up going through the transformation the same way. You better know if you are speaking to such a person or a younger person who has the chance).
What I don't understand is, why people assume that everything you know about someone is supposed to be used against them. Why everything needs to be malicious?
Thanks for the elaborate and thoughtful reply! I have little to add to the bigger paragraphs, but about the question at the end: I've been wondering the same and think it must be an information age thing. Not in the abstract or the "kids these days" sense, but in that everything is stored somewhere and processed in invisible ways
I don't remember caring that someone took a picture of me with their Nokia when I know that they'll at worst share it to a handful of people via Bluetooth or try to upload it to a friend's MSN channel via GPRS. It won't be uploaded to Facebook, facial-recognized, and stuffed into a global database. Or visiting websites: I operate a website and I know you can parse which pages I viewed straight from the access logs. I don't mind, you can see what paths I took through the website and you might learn how to make a better flow. But technically, drilling down to such an individual user level is tracking based on personal identifiers and so would require consent under 2018's GDPR. I'm happy that it now does because I don't want Google to track every page I visit, and ~everyone uses Google Analytics because then you get perks like knowing what search queries you are doing well on (how convenient that google removed referrers for privacy)
I don't really have a solid answer -- why do I care about Facebook and Google but not about John "Malicious Sysadmin" Doe? -- but maybe it makes sense on some level. I need to think about it more still
I think the problem is that the new communication methods are allowing for new modes of communications that we lack tools for dealing with malicious actors(like IRL when someone lies constantly, we know how to work with that person but we don't know how to deal with someone from the other side of the world who lies as a full time occupation preying for attention). The newer generation people are less and less interested with "talking to strangers" as the environment become too toxic and goal(like promoting a product or pushing an agenda) oriented when the internet became mainstream with the proliferation of 3G and iPhone/Android. IMHO There are not many real people out there, most people who create content are doing it as a job or as a side hustle and those who provide the platform treat people as numbers, probably not much different than butchers who are just trying to produce some meat so they don't see the animals as live being. Plus, there are psychos all over the place who are trying to harm people for entertainment.
As a result, real people are having real talk in the safety group chats where they know the members to som degree, IIUC.
Further tangent, I'm not big on digital ID and stuff overall but then I'll play an online game with cheaters and wonder if it's not the solution to things like this. Lifetime cross platform online game bans tied to your real life ID which you need to sign into this new all encompassing anticheat.
I don't think that anything should be as harsh ever but yes, having a reputation that goes everywhere with you is how we deal with problematic people in real life. That's how we stay civil without AI systems constantly scan us or some type of police constantly watching. Also, we tend to tolerate, forgive and eventually forget when someones behavior improves, so... Maybe actually having a continuous persona can help with the nihilistic tendencies too?
False positives aren't exactly rare. Cheaters trolled PunkBuster's memory scans by sending offending payloads matching blacklisted signatures over popular IRC channels, less recently they exploited an RCE vulnerability to deploy cheats to other players computers, mid-game. AMD released drivers hooking themselves into games processes, triggering detections. And there's a lot of less obvious problems with this approach.
I dream of a world, in which people are judged not by their age but by the content of their character.
There are other interaction modes than judging or hating. Age is useful for many of those, its especially useful for tolerance. Most cultures do have age based moral code for interaction which compensates both for experience(lack of) and decaying cognitive abilities due to age or provides credibility for perspective and trustworthiness.
This enforced loss of fidelity is among the primary problems for online communications.
You're right, for example age is useful when picking targets for scams. It would also be great for groomers.
So? Go protect them the proper way. Do you want also to have all your messages scanned because you may be up to something illegal? Should we refrain from encryption because can help terrorists? That's not my cup of tea, I don't like proxy "protections" that are supposed to protect us from evil at some huge cost like loosing privacy or human connection.
I don't subscribe to the idea that we should ban knives because someone can use them to stab someone.
And I hope they give their gender, ethnicity, nationality, religion, salary and geo coordinates.
right, because everything has to be a hyperbole. Either it has to be context-free or full totalitarian environment, right?
Maybe the internet was a mistake.
Do you want desktop PC vendors locking down hardware to enforce integrity?
Want do you think Windows 11, latest macOS, ChromeOS hardware requirements are all about?
CoPilot+ PCs even require the same security chip as XBox and Azure Sphere IoT board (Pluton), in addition to TPM 2.0.
https://learn.microsoft.com/en-us/windows/security/hardware-...
Well, yeah. There’s no way to curb the modern cheating epidemic without increasing security measures. Riot Games via Valorant truly pushed the industry so far ahead by reducing their cheating percentages so low that the cost to cheat for more than a few weeks at a time is thousands of dollars a month.
It’s not the sole reason, but it’s a solid one.
They have some other secret sauce for sure, there's tons of cheaters on console which is a vastly more locked down platform compared to pc.
Better that it's a dummy device I can stick in a corner and turn on when needed, than the thing I need to carry around all day for various purposes like finding my way around and showing a legal public transport ticket
I don't want integrity on my mobile so why would I want it on my desktop?
Exactly, remote attestation is only acceptable on your own devices with remote attestation servers that you control.
For example, it would be completely fine to implement remote attestation where devices issued by companies to employees verify their TPM values with company's servers when connecting via VPN.
All other such activities directly infringe on ownership rights.
I don't see the value of remote attestation period. Especially when we talk about the mobile world which is a jungle where even the manufacturer itself doesn't have the full picture of all the code running on the device.
Yeah sure it's guarantees that the device is more or less similar as from the factory... and then what? What am I supposed to do with that information?
It can be valuable on devices *you own* with servers *you own* when the devices are not physically present (or even if they are).
You can get PCR values and decide if the device you are talking to is tampered with. That way, you can set a higher bar for hackers.
This is completely different to what this topic is about, I'm just saying that there is a case where it can be useful.
I guess I'll pass then.
Looks like the 'number of the beast' isn't a number; It's a smartphone from Google or Apple. Who knew?
They point out that some other service could do it:
> It should also be noted that this project is an example of a solution that is considered to meet certain requirements of the DSA, regarding the protection of minors. It does not prevent the use of other solutions that also meet those requirements.
Is anyone building that service?
The EU is paying for this one but not other ones apparently. Strange. It's almost as though they're paying to build what they plan to use rather than making an example for the heck of it
As more people move away from spyPhone devices, how is this going to work. Especially having BigTech being able to hold the EU ransom over access to basic government services.
A phone should not be a requirement to partake in society, and I´d even argue the same for a bank account. But I see this month another strong push towards a digital Euro. Is that the true purpose behind this push for .eu ID Apps?
Besides the obvious issues at hand, it's kinda ironic they publish this on Github, EU tech independence is going great.
When the UK age verification legislation was being debated I recall people saying "don't worry about unintended consequences, it's not like you'll be have to show your ID to random websites! Someone will show up with a reasonable methodology. You'll be able to e.g. show your ID at a shop and get an anonymous token.".
And plenty of people, including myself, thought "this is so dystopian it couldn't possibly happen".
It did happen, and it's as bad as the doomsayers said it would be.
I would be curious what it's like in the UK. It would probably do well as an HN submission if you're up for writing a blog post about it. All I know is that they passed some legislation that requires people to authenticate for anything that could possibly show nudity or something, including Wikipedia, and that VPN apps were going wild. I don't know what it's actually like in daily life, how one does authenticate to Wikipedia (or if they bought themselves time for now by iirc suing the govt?), if there are privacy-friendly age verification options and if those options are commonly implemented by the websites that need it, etc.
So in order to be a part of European society I need to accept the terms and conditions of US companies?
What happens if something goes wrong and you have to rely on contacting a human in Google of all places? Sorry, you have a copyright strike on your YouTube account, now you can't file taxes! Hopefully you have enough followers on Twitter than you can get them to pay attention.
EU is just rushing into bullshit dystopia scifi with its useless and harmful anonymization and chat control ideas. These just ought to fail and be rolled back. Imagining these succeed seems nearly as wild as waking up in the world where people do yakuza-style thumb cut to every naughty kid who fails to do his homework.
I think this ship has sailed; I'm in India and I literally can't spend money without a phone.
Does that work on a (mostly) open source OS such as GrapheneOS or LineageOS, or does it require a locked phone from Google or Apple?
Here's my crack at a good-enough solution for the U.S. It doesn't have a ton of granularity - but the concept is shovel ready now, dirt cheap, and privacy preserving.
Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
Actual Demo: https://app.hornpub.click
How it works:
1) Go to app.horpub.click
2) Create an ephemeral passkey
3) Extract its public-key and id (this binds the credential you're creating to your device)
4) The user copies this data to their bank's Age-Verification-Section
5) The bank creates an object that it signs with an attestation of the user's age (KYC) and their pass-key-public-key
6) The user copies this back to app.hornpub.click
7) The passkey is verified on the server, the bank's signature is verified by the server, some other meta-data is verified to make sure nothing weird is happening.
8) The user's age has been verified by their bank without the bank knowing who is asking for verification
* This method is more private than anything requiring sharing your photo-id online
* This method doesn't trigger GLBA or GDPR (user copies data themselves)
* This method is free to the merchant (hornpub)
What's crazy to me is why they didn't go for that kind of implementation. This works well, ensures privacy, can be audited easily, and doesn't need a f*cking app on my phone.
If you read the guidelines they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy.
If you're not familiar this would mean the verifier doesn't learns anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
Not asking to troll or be a jerk. Promise.
What would need to happen in the United States to implement a reliable ZKP age verification system - and how long would it take to roll it out?
Asking because it feels like the Titanic has sunk, and we're eschewing a floating door because the coast guard has regulation conformant life rafts that would work better.
> United States to implement a reliable ZKP age verification system (my emphesis)
Realistically at least 3-4 years, assuming they want to keep the same goals as eIDAS. I think the (software) implementation will be the least costly part, time-wise; but it takes a long time before everyone adopts a new social system. Especially in the US where there has been no precedent for digital identification. Even with full control of your own ID & and solid implementation details, there will be push-back just for suggesting that people/companies should adopt it.
If I work for Aylo (pornhub, etc) I'm telling every fintech and click-and-mortar bank who wants more customers to do this yesterday!
"Hey third fifth of Oregon! Do you want to triple your customer base in Oregon for the cost of a small dev team and 1 month of work?!"
> f*cking app on my phone
I need another app on my phone like I need another hole in my head...
What happens if some party is able to get logs of the bank's age attestation signings and of hornpub.click's steps #2 and #6? It appears this would present some risk of matching up hornpub.click accounts with real IDs.
This is called "linkability" and ideally should be avoided so anonymous age verification can be safe.
Banks and most sites requiring age verification are _littered_ with tracking software that does _literally_ this.
Further, if you put on an adblocker and I get access to the logs at ironbank and hornpub; I could just query them for your IP address.
Collusion to this degree is possible, but doesn't seem worth worrying about if the aforementioned attack vectors still exist. My $0.02.
But the bank and the horn content provider could collude and that would let the bank know that you're watching horn (shame, shame!).
The ZKP approach aims to prevent this attack method.
Chase.com currently is using:
mPulse
Google Marketing Platform Meta
LinkedIn Ads
Trade Desk
Aggregate Knowledge (Trans Union)
Adobe Audience Manger
Can you elaborate on how the risk of ironbank and hornpub colluding by de-anonymizing you via rainbow tables or IP forensics is substantially greater than Chase and PornHub using - Google Marketing?
It isn't, but due to bureaucracy, when designing a solution, it's that solution that has to be "secure" without really considering that the current outside situation is already insecure..
Anyway I'm not advocating for this solution, just addressing the question directly.
Thanks for the feedback.
I don't see this as the end all ultimate solution for age verification. I see it more as a tourniquet; imperfect - but better than bleeding to death.
I think that the European Digital Identity project should not be hosting its source code and content related to European standards, guidelines, and initiatives on GitHub, a closed source product owned by Microsoft.
Quick! Save the EU from Microsoft by cloning it to your hard drive so the code can be safe and sound.
Nah seriously this doesn't really apply to Git.
If nonprofits like the FSF or communities like the Debian project are able to store their code, why is an organisation with the magnitude of the European Comission unable to do it.
Why stop there? Go all in: they should not run their open source totalitarian digital control nightmare codebase on closed source hardware, because that's the real issue!
If Dr. Evil created a death ray machine to destroy all life on Earth, I would be there to say “oh it is based on an open standard, how nice”.
Something tells me the granny on the bus can verify her age by going to the local service desk.
My experience with digitalisation is that the optional physical service desks quickly start disappearing once the younger generations start using digital equivalents.
Card payments and digital banking have closed most bank offices outside the larger cities. Mail dropoff boxes are slowly dying out. Paper bank invoices now cost extra (an unreasonable amount extra).
Granny may be able to verify her age, but the service desk won't necessarily be local.
Here's the official Dutch government solution for if your mobile phone doesn't have NFC, if they don't support your phone's OS, or if they actively went out of their way to block your android distribution: "go ask for another person's device then" https://www.digid.nl/stappenplan/id-check-toevoegen-aan-de-d...
Seeing this kinda stuff makes me want to keep my physical license and ID. No need for digital ones, I'm good with the cards.
Along with chat control, it really seems like the EU is pushing a dystopian digital agenda.
I mean, the EU is something like a modern take on Soviet Union so it shouldn't be suprising.
Suuure, if the USSR had been a deeply neoliberal market economy. Something tells me you don't know anything about either the EU or the USSR.
While I agree EU is nothing like USSR, calling it a market economy is kind of questionable. It’s a bit of a hybrid, which companies allowed to market and sell on their own but with intense regulatory control over product design.
From USBC to ad supported business models, the EU has fairly tight control over how products are designed and monetized, in a way that I don’t think can be described as a pure market economy.
Note that I’m NOT saying their level of centralized control and government specification of product requirements is bad. It’s a legit trade off and there are arguments that some or all of it is enlightened. But it’s certainly not a place where you just build your product and ship it and let the market decide.
since when a market economy need to have no regulation?
Market economies are contrasted with planned economies, i.e. how prices are determined and production allocated, and the EU most decidedly is not that.
Well, obviously there are differences, but some overreaching and, I believe, unrealistic policies, such as the EU's climate policies, are somewhat reminiscent of the Soviet Union's central planning.
It's time to rush to Russia, while we still can.
If they accept us, of course. Not everyone is Snowden.
Did you forget the "\s" marker?
Russia is a one way step ahead here, with mandatory pre-installed apps, full-scale internet censorship (still catching up with China, though), mandatory DPI, etc.
This is strange, in Italy our eID system can be used from the desktop with a (recent) smart card reader
Add Belgium and Germany to the list.
Notably not the Netherlands. They've got the ID card chip (as required internationally iirc) but I emailed them once to get the public key so I can verify signatures (this was like 2016, I was still in school) and they said it was for governmental use only. It's not meant to be used by commercial entities
Why the EU decides to go with the bad example rather than the good example, I have no idea. Both ways achieve the stated goal of age verification and even the possible goal of universal ID tracking, without disallowing you to do whatever you want with your phone's privacy settings
this was the case in portugal too, although i don't know if it still is since gov apps have been pushed to the apple and google stores. edit: it should still work according to this https://www.autenticacao.gov.pt/cartao-cidadao/autenticacao
Gov app uses the "Chave Móvel Digital", which can be used in the browser, as well as in a variety of mobile apps. This CMD can also be used to digitally sign documents.
I believe it's still possible to use the physical card with a reader for many things.
I think some services still don't work with the CMD. Recently, I had to ask for changes to my car's document, and it seems it's only possible with the card itself. (https://www.automovelonline.mj.pt/AutoOnlineProd/)
It seems very reasonable to me for a first version of a system to only support the most popular platforms. Especially since this is open source, nothing stops enthusiasts to port the mechanisms to more niche platforms later.
> Especially since this is open source, nothing stops enthusiasts to port the mechanisms to more niche platforms later.
Not even hardware attestation?
surface tablet sales soar!
Lets pretend the EU would mandate Desktop Support, we all know it will be only applied to Windows and Apple. Maybe for Linux, BSD it will never be applied.
In anycase we all know ways of bypassing this age verification will be found, probably by the kids themselves. But all this will do is enable US big tech, killing the very EU based companies the EU has been crying about for years.
Meta, Twitter, Google and M/S could not have created a better law to protect them then this law.
Kids will bypass any verification by secretly using an adult ID or just straight away asking them to do it.
Hell the crazy things I used to do to connect to the internet after my mother went to sleep. She didn't wanted me using the internet because of phone charges so I secretly got into the roof to strip the phone wire bare and connect my own hidden cable that I would unroll and route it to my room to connect to my modem at night. YES part of it was to watch porn and download mp3s and roms. No I wasn't of legal age. Did my life got ruined by this? Well I'm an IT engineer now so arrive at your own conclusion.
I think this current hysteric moral panic is definitely being pushed by a lobby of a nascent AI industry that wants to create a problem for their surveillance tech solution.
This whole thing is good news for external hard disk manufacturers
What a sovereign tech indeed, considered that both Android and iOS are USA flagship mobile OSes...
Beside that, as long as people do not realize that Desktops are for personal ownership and personal production while mobile are only for surveillance and consumption all digitization efforts will push those who knows toward something else, cryptos instead of legal tender money, self-hosted stuff and so on.
As a result at a given point in time population will be split in two main cohort: those who knows vs all the rest.
Is there anything in the proposal to stop people from VPN'ing to a free country and access their porn from there?
No, but once VPNs have become the only escape hatch available, this will be used a justification to ban them.
VPN will maybe work for porn but, as they say, "Age verification plays a crucial role across various scenarios, including access to online services, purchases of age-restricted products and claiming age-related benefits."
no, like there's nothing preventing you from getting porn via USENET.
This has always been a "best effort" initiative that is unlikely to stop "dedicated" users.
I think they want to make age verification mandatory for subscribing to VPN services too.
Then you subscribe to the VPN with a VPN
Yes, the EU will implement DPI and VPN restrictions in the futrue.
You can’t fence in the wind
EU gonna EU. You should be thankful. If they made a desktop app answering the cookie banner would rival applying for citizenship in complexity.
You do know that all those sudden repairability and longer OS updates Samsung and Apple keep touting worldwide are due to EU regulations, right?
Easy battery and screen replacements, USB C on iPhones, 7 years of US updates, etc, all due to the EU.
Yeah, all sorts of pointless crap. 7 years of updates, that's the iPhone X? Yeah I couldn't care less. USB-C? Don't care. I use wireless charging. If we could lose all of that in exchange for losing cookie banners I would take it in a heartbeat.
In another couple of decades the EU will be an irrelevant market as their population becomes even poorer. Then we can finally be free of their nonsense. The only risk is that the Eastern European countries become more prosperous than the Western European ones and prop up their influence.
Looking forward to this becoming the norm in the US at some point around the time I retire from the tech sector to go farm. I will take a nice boat ride into the ocean and throw my phone into a particulary deep spot.
I said what I said, do not @ me.
A lot of people outraged by this but ultimately this is good news - the more flagrant & public the technical incompetence of the people putting together these idiotic systems, the easier mass push back will be to foment.
It's not lol.
The discussion has been shifted from "whether age verification should be a thing" to "how to implement a more convenient age verification system."
so a smartphone is required by law? that's fucked up
No! Only required if you want to participate in society.
And what gets me is that it's not just 'you need a phone', it's 'you need a Google or Apple account'.
You don't only need the account, you need a phone that is locked down with hardware components and cryptographic keys that attest it hasn't been modified "unauthorizedly". Where the authority is not the device "owner" but Google, Apple, and the manufacturer
The account would be easy enough with fake data and a 10€ prepaid one-time-use phone number. Finding an exploit in Android such that you can turn off Google's tracking but not trigger their "you modified your device" scans (that are to be tied to your government identity verification continuing to work) is a game I'm not looking forward to playing.
And neither Google or Apple are EU-companies.
not A smartphone: an iphone OR an android verified device.
not your linux phone with waydroid or fairphone with lineageos
Well, only smartphones made and controlled by American corporations that are subject to US laws.
These EU politicans should stay the fuck out of things they refuse to understand unless they want to see a real darknet take off.
At this point I think they very well do understand. Rocky times are ahead, TPTB know they're at risk if things get bad enough for the average denizen and they want to get in as much leverage against future dissidents as possible.
I looked into the Swiss version of this, which is documented here: https://swiyu-admin-ch.github.io/
They faced the same question. Here is their answer: https://github.com/orgs/swiyu-admin-ch/discussions/20
The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID originally, up to the current best practical technology. On Android, they judge that to be "keep the private key in the HSM and require a local biometric (or PIN) unlock to use it". This is why they argue that proving your age will not be possible without a mobile device.
You can prove your age anonymously, for anonymous account, which can be used on a non-mobile device. It's just that the proving the age part must happen from a mobile device.
À propos of more or less nothing: in the Swiss context, websites requesting the proof will be required to request the least information necessary for their need. They must NOT ask for your name, ID number, or birthdate if the question they are trying to answer is, "is this person old enough for our service?"
This is excellent technology, and the Swiss law on it that we are voting for next weekend is an excellent law, so I urge a OUI/JA/SI vote on it, if you're a Swiss citizen.
> The tldr is that they have a legal requirement to bind "verifiable credential shares" with the same human who got the e-ID
Glancing at the thread, I don't see that conclusion. User 'sideeffect42' cites some laws and says
>> As I read this it nowhere says that the e-ID has to be bound to a device. It only speaks about binding it to its owner which (IANAL) could be implemented by password protection (like KeePass) as well, since only the owner knows the password.
Nobody seems to have replied to that
Alternatively, the software could just scan your ID card's chip when you need it, or whatever it is that it does for first-time-use verification anyway. It needs not require your phone is locked down, locking you out of any control over tracking, installed apps, or reading the phone's storage and network traffic to merely see what it tracks about you. The phone can simply act as an NFC reader so that your ID can sign a challenge with an "over 18" flag included within the signed data
And that's if you want ubiquitous age verification in the first place. I find that u/raincole made a good point here that outlandish implementations have successfully shifted the discussion away from the aspect of whether ID-based checks must be widely performed: https://news.ycombinator.com/item?id=45361883
> so I urge [to vote a certain way], if you're a Swiss citizen
Is this post genuinely trying to add something to the thread, or a way to promote your agenda?
Donald, is it you?
Bc it's a smartphone spyware
Erm... FUT?
- this project is just one implementation (POC if you want) - they simply state the current scope of the project
For anyone sane managing projects it makes sense to correctly allocate resources that would cover the most people.
and to all those whining butthurt individuals here - reality check is that it's way more probable that someone has and uses a smartphone than a computer. go out of your tiny bubbles...
Papieren Bitte, Citizen.