https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/
-
https://mastodon.social/@pojntfx/116345725515845020
A bit of an explanation
@pojntfx that Google dependency is unacceptable. That said, there is no reason (other than "they want to") to require a Google account to use the Play store (to download free apps). From a GDPR perspective, that is already a breach of the law, and already should have been fixed.
-
@pojntfx that Google dependency is unacceptable. That said, there is no reason (other than "they want to") to require a Google account to use the Play store (to download free apps). From a GDPR perspective, that is already a breach of the law, and already should have been fixed.
@tdelmas The whole remote attestation thing should be dropped from the proposal. The rest of it is unfortunate (no ZKs at all, just signed credentials), but the remote attestation part is truly asinine. I have no idea how and why that decision was made. The people behind this are adding a path dependency on Google/Apple on something as simple as showing your ID to buy alcohol.
-
https://mastodon.social/@pojntfx/116345725515845020
A bit of an explanation
@pojntfx Honestly I will remain off the opinion the digital wallets are by itself a good idea, and could potentially be more privacy-friendly than traditional methods (thanks to granular sharing of information) and lessen dependence on big tech (the alternative is namely that the private market will do this).
Having said that, that’s only if implemented right. A dependency on Google Play services is worrying, and shows we still haven’t learned anything from the past years.
-
@pojntfx Honestly I will remain off the opinion the digital wallets are by itself a good idea, and could potentially be more privacy-friendly than traditional methods (thanks to granular sharing of information) and lessen dependence on big tech (the alternative is namely that the private market will do this).
Having said that, that’s only if implemented right. A dependency on Google Play services is worrying, and shows we still haven’t learned anything from the past years.
@sstendahl Yeah, if they used ZKs I can see a way to make it great. But nobody - not one single country, anywhere on earth - is doing that.
And it's not just Play Services here. Those we can emulate with e.g. the EU-funded microG. It's specifically SafetyNet/remote attestation. That one can't be swapped out in any way we currently know. It's a hard dependency on Google.
-
@tdelmas The whole remote attestation thing should be dropped from the proposal. The rest of it is unfortunate (no ZKs at all, just signed credentials), but the remote attestation part is truly asinine. I have no idea how and why that decision was made. The people behind this are adding a path dependency on Google/Apple on something as simple as showing your ID to buy alcohol.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Ehh.. What ? That's a stupid bad implementation.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
-
@arjen SafetyNet checks only pass on devices with unchanged, factory-sealed, non-unlockable firmware. Google has an allowlist of devices that pass that test. The same remote attestation mechanism is also used to block downloading the app through anything other than the Google Play Store, which you need a Google Account for. And you can't use Google if you're on the US sanction list (see e.g. the ICC prosecuter case). Using any open source OS of any type is also completely impossible.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx I'm not surprised but still disappointed.
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Sounds sovereign
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx I just don’t get it. In Germany, we have electronic ID cards with built-in secure and privacy-friendly age verification that does not even disclose the actual birthdate or identity. And we’ve had these for like, 15 years? So, regardless of whether we like age verification in principle or not, the sovereign technology is there!
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx It appears to be more of a rule that all the government projects are like this. Our national ID system here in Finland is also bit of a shit show, where Linux is technically supported but the software is god awful and buggy.
-
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
@pojntfx This scenario raises two main conflicts:
Availability and Access: The GDPR and EU principles require that access to fundamental rights not depend on third countries. Forcing a citizen to accept the terms and conditions of a private U.S. company in order to use their state-issued identity is viewed by many regulators as coercion that invalidates the “free consent” required by the GDPR. 1/2 -
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
@pojntfx Extraterritorial Surveillance:
There is a theoretical risk that, because it is integrated into the OS ecosystem, the manufacturer (under laws such as the U.S. Cloud Act) could be compelled to provide metadata on when and where the wallet is used, which conflicts with the GDPR’s prohibition on tracking. 2/2
-
If a German citizen gets sanctioned by the US government, once this is implemented (later this year), that means they will no longer be able to be a participating member of German society, e.g. to show their (digital) driver's license to traffic police
@pojntfx
You don't need to wait, nor for the US to be involved. -
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx so, totally understood the EU desire for digital sovereignty then?
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx this is unacceptable
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx
Germany is such a mess; they’re just useless, and there’s plenty of that -
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
-
So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function
Absolutely pathetic
@pojntfx Skimmed it and I’m not sure that they are embedding dependence on Google or Apple so much as recognizing that in a BYOD situation these are the tools they have to verify a device has not been tampered with or is not a credential stealing app?
I can imagine lots of other regimes like sending everybody a physical device like a TOTP generator, but for purely on-device is there another plausible way to do it? In a way where the average person won’t instantly lose their keys/credentials
