[HN Gopher] Dutch digital identity system crisis
___________________________________________________________________
Dutch digital identity system crisis
Author : softwarefreedom
Score : 251 points
Date : 2022-05-09 12:32 UTC (10 hours ago)
(HTM) web link (blogs.fsfe.org)
(TXT) w3m dump (blogs.fsfe.org)
| duxup wrote:
| My first thought was "yeah but what is the solution some sort of
| home grown mess the gov is supposed to develop..." But the German
| approach seems pretty neat.
| DoingIsLearning wrote:
| All EEA identity cards already have to comply with IEC14443
| standard. This standard also has open implementations for card
| readers.
|
| How is a phone app in a walled garden a better option for
| official authentication than the identity card you already use
| to identify yourself in all other official acts?
| thingification wrote:
| What is the German approach?
| edgyquant wrote:
| Only semi-related but I have become increasingly frustrated with
| spam from all domains to the point I am now in favor of users
| being mapped to their social security number when they go online,
| period. When I get calls, such as the five this morning, that say
| I am suspected of committing a crime (or a family member has, or
| I owe money I didn't know about etc) I should be able to report
| this and the individual be fined or arrested.
|
| We've lost the battle for privacy, were never likely going to win
| it from the get go imo, so let's at least use it to our advantage
| JacobThreeThree wrote:
| It's already trivial for spammers to purchase social security
| numbers and other ID's for spamming purposes.
|
| There's no reason to believe spam would stop if an online ID
| tied to a social security number is implemented.
| edgyquant wrote:
| I'm not talking about a social security number you input, I'm
| talking about a universal authentication system tied to
| individual SSNs among other things. Anyway theft of
| identities are far less common than scam calls, so your point
| isn't even valid to boot.
| silon42 wrote:
| This is also a problem for lots of banking in the EU now (with
| some exceptions -- using hardware TOTP or similiar device).
|
| I can't login into the bank without the phone. Also you can't
| verify online payments in most locations without the app.
|
| Previously the digital certificates were used.
| alpaca128 wrote:
| My bank has desktop apps but not for Linux. The only other
| alternative to a smartphone is a hardware TAN generator and
| they won't give me one because I "don't need it".
|
| At the same time they only allow a 5-digit pin as password for
| everyone, and as the phone is the second factor it doesn't have
| 2FA itself. The 5-digit pin is enough to access everything, you
| don't even need a username because the app is tied to the
| account.
|
| It's obvious they just threw something together to comply with
| regulations.
| consp wrote:
| > It's obvious they just threw something together to comply
| with regulations.
|
| Far worse, there is no regulation to force any of this it's
| just competition. Mostly by smaller "banks" with even worse
| track records concerning security.
| Aachen wrote:
| There is regulation, that's why we have mandatory 2FA for
| bank accounts. I think (but am not sure) that SMS phase-out
| is also part of that regulation, but that might also just
| be banks being happy to force their software onto more
| devices to do who knows what.
| grnmamba wrote:
| Yep, my bank forces me to use an Android/iOS only app. As far
| as I'm aware, there's not a single bank in my country that
| supports open 2FA standards, like FIDO2.
|
| Infuriating, and it's only going to get worse. And then the EU
| complains about Google/Apple's monopoly power - I wonder why...
| hadrien01 wrote:
| There's a single one in my country (Boursorama). Even more
| infuriating, banks are now forcing clients to use their apps
| to add beneficiaries without an artificial delay or to make
| an instant SEPA transfer.
| thesimon wrote:
| > FIDO2
|
| Lacks the reference to a transaction. An attacker could send
| unlimited transactions for 15 seconds after you approved
| yours.
| raxxorraxor wrote:
| The layer below does not have to protect against replay
| attacks. In fact solely relying on such a protection would
| be a security issue itself. The user could just generate
| the TAN here and sign the transaction.
| ryukafalz wrote:
| An attacker who has compromised the bank's servers could,
| sure. But at that point don't you have bigger problems?
| thesimon wrote:
| Well, the PSD2 opens the banking to third parties
| (basically OAuth, just for banks).
|
| So an approved payment initiation services (PIS) can do
| transactions on your behalf. But you still want to have
| control over which transfers they actually send, so you
| want to make sure the confirmation code only works for a
| certain transaction.
| Nextgrid wrote:
| I believe this would have to be implemented by the
| payment initiation service provider - as far as the bank
| is concerned, once you authorize the PIS provider the
| have full access and can initiate any transfers they
| want.
| trasz wrote:
| Compromising bank servers is less harmful than
| compromising individual customers, because it's the bank
| (or perhaps the insurance) that's bearing the
| consequences, not its customers.
| grnmamba wrote:
| You can include the transaction ID in the clientDataHash
| calculation, which will be signed by the authenticator.
| This protects against that attack.
|
| https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-
| cl...
| rhdunn wrote:
| I contacted my UK bank about this and they switched me to using
| an email confirmation where they send the OTP code to instead
| of via SMS. For my digital account, they previously sent me a
| card reader which the login process still accepts.
| thingification wrote:
| Which bank is that?
| quitit wrote:
| EU members: Android and iOS is a duopoly that must be addressed.
|
| EU member: lol, citizens get yourself an iPhone or Android or no
| digital services for you.
|
| Yes, I am glossing over nuance here - but how short sighted is
| this approach.
| Wowfunhappy wrote:
| From another perspective, the latter proves the former. Google
| and Apple are so dominant in the market that consumers have no
| choice but to use their services. As such, the services require
| public oversight.
|
| Yes, the dutch government is itself perpetuating the situation,
| but they're only doing what private industry has for years.
| [deleted]
| [deleted]
| emteycz wrote:
| But that's a complete lie. There is the web, which has worked
| more than well enough for all government-personal contact
| purposes way before Android and iOS even existed. It's only
| now that they stopped caring about web and do the latest whim
| instead.
|
| And I just can't understand this logic?
|
| 1) Someone makes a platform, it's big and successful
|
| 2) State wants to overlord it, so they make apps only for
| said platform
|
| 3) State says platform is so dominant apps are only on said
| platform and there's no choice - must be regulated
|
| Wtf?
| Wowfunhappy wrote:
| That's not quite the order it happened, though:
|
| 1) Someone makes a platform, it's big and successful.
|
| 2) Private companies (banks, taxi services, streaming
| providers, education platforms) decide to only make apps
| for said platform, because the potential market of
| customers using anything else is too small to justify any
| business investment.
|
| 3) State says platform is so dominant apps are only on said
| platform and there's no choice - must be regulated.
|
| 4) State follows the same practices as private companies
| when making its own apps, for the same reasons as the
| private companies.
| emteycz wrote:
| That doesn't change anything about it being bullshit. Web
| is still there and better than ever, and works on every
| platform too (as it always did). For their purposes, it's
| feasible to render only the most basic HTML/CSS and
| process everything server-side; thus the choice to make
| only incompatible platform-specific apps is theirs and
| theirs only. The private sector - banks, taxis, etc -
| have absolutely nothing to do with it, and they're still
| doing webs today (more than ever, actually)!
| EMIRELADERO wrote:
| Government regulation doesn't only exist to thwart
| monopolies.
| Wowfunhappy wrote:
| > Web is still there and better than ever, and works on
| every platform too (as it always did).
|
| We're talking about an MFA solution, no? There's really
| no way to do that with pure HTML/CSS, you need some sort
| of TOTP generator.
|
| IMO, this is why 2FA should always be optional, but the
| rest of the world seems to disagree with me...
| emteycz wrote:
| Why is SMS auth (like my bank does, with plain HTML/CSS
| pages) not sufficient?
|
| Anyways, my government is sending me SMS for auth anyways
| and won't stop anytime soon. No need to introduce yet
| another requirement on the citizens.
| Wowfunhappy wrote:
| Because it's too easy to convince carriers to port
| someone else's phone number to a new SIM. I wish the
| carriers would address that, but that too would likely
| require some sort of government intervention.
| thingification wrote:
| Alas, if only the government could provide government
| intervention? Since they can't, we're left only with the
| option of government intervention to mandate use of
| android or iOS?
|
| In fact, intervention wouldn't have to be to change SMS.
| They could instead mandate a standard like U2F or FIDO2.
| If they really don't like those for some reason, EU
| states could get together and make a new standard and
| mandate that.
| thingification wrote:
| U2F has been around for a long time and has worked great
| for me for email (and is more of a real second factor
| than TOTP: you just plug it in and push the button and it
| does its crypto thing). There are similar newer standards
| like FIDO2. I think some of those standards work with
| smartphones too (haven't checked recently)?
| AlexandrB wrote:
| You have to remember that a government is not a single hive
| mind. 2 and 3 are probably being pushed by completely
| different groups of people with differing goals.
| emteycz wrote:
| That's one of the big problems of states. Every power you
| give a state government, there's someone (not one -
| thousands, if not more) waiting to do bad things with it.
| And while they're busy with it, the other part will keep
| claiming how you're a bad person because you don't want
| to help poor people.
| thingification wrote:
| > but they're only doing what private industry has for years.
|
| Thoughts similar to this one are often deployed here - like
| this:
|
| commenter A: This makes <problem related to surveillance>
| worse
|
| commenter B: It's only incrementally worse, so it's OK.
| Besides <other parts of problem> mean there's no practical
| difference currently (at least if you've already basically
| admitted defeat about <problem> as I have), so what possible
| rational basis could there possibly be for not going ahead?
|
| But many steps that make a problem incrementally worse can
| lead you to a bad place. Many steps that make things
| incrementally better would lead us to a better place. And
| with a tangled problem like this is by now, I think you do
| sometimes have to accept that not every step may always make
| a practical difference for many people, if you want to move
| towards a solution rather than forever away from it.
|
| In this case I'm surprised to see you use the word "only" -
| government starting to mandate something is a significant
| step over even a duopoly doing so, because the cost of trying
| to ignore a government mandate can be much higher even than
| ignoring the smartphone duopoly - right? I can and do avoid
| the smartphone duopoly currently, but good luck to me if the
| government mandates it, eh?
|
| Also given government power, in some ways it's a lot easier
| to make progress on knotty problems like this one than it is
| for a company, because government has a lot of power - so in
| that sense they have less excuse than private industry for
| moving us backwards here. Of course the public, though I
| think they see the problem to some extent, don't really
| believe in solutions yet. It's up to us to give them
| confidence that better solutions exist.
| duxup wrote:
| I wonder how much of it is also.
|
| EU member: Hey IT team get us some sort of identity
| verification! (doesn't care about the details)
|
| The nuance and knock on effects, costs, and etc of policy are
| often hard to account for, but big sweeping legislation sure is
| nice to think about.
| raxxorraxor wrote:
| That is really counter to the recently proposed Digital Markets
| Act. I wouldn't want this and I don't have a verified account for
| either vendor. I have a Google account with a fake name and that
| is it. I don't want a digital ID either, the anonymous web is the
| best web. If there is a purpose like a transaction, be my guest,
| but otherwise I prefer to keep it shallow. EU countries are known
| for surveillance of citizens and they need strong limits as to
| what they are allowed to do. There are still significant problems
| with home searches too with the exception of cases like human
| trafficking apparently.
| AshamedCaptain wrote:
| For a lot of time I've been trying to find e.g. a bank that would
| not basically require an Android or iOS device for me to shop
| online. Many of them even have "root detectors" which basically
| means these programs won't work in "rooted", "de-Googlefied"
| and/or free Android implementations. After some complains the
| only thing I managed to get is for them to fallback to SMS 2FA
| which at this point I consider a blessing.
|
| I've already said this numerous times here on HN, but it is a
| dark future we are getting into. The only thing that came
| remotely close to this level of "you require this proprietary
| software for daily life" level of danger was ActiveX.
| layer8 wrote:
| Maybe there's a market for dual-OS-installation smartphones, as
| an extension of dual-SIM ones.
| mFixman wrote:
| In case you are still looking for a card that will work without
| an app, American Express sends you emails and SMSs with
| validation codes for online purchases.
| ThePowerOfFuet wrote:
| FWIW, Bunq's app works on GrapheneOS without any Google
| services installed whatsoever.
| floren wrote:
| Can't you just use a credit card?
|
| Every time any HN discussion veers toward alternative
| smartphone OSes, for instance, people come out of the woodwork
| to talk about how they just couldn't possibly access their bank
| without an Android or iOS device... what are you all doing with
| your bank so often? I log in a couple times a month, from my
| PC, to check balances and pay my car loan. I've certainly never
| needed a damn app.
| 0xFF69B4 wrote:
| Not in the EU. I pay for a lot of nonrecurring things via
| money transfer and I need a TAN for every online transaction.
| Before mobile apps they would occasionally mail me a list of
| like 50 of them [1] but that's not a thing anymore. Every
| online credit card transaction has to be confirmed in the
| banking app as well.
|
| 1: https://en.wikipedia.org/wiki/Transaction_authentication_n
| um...
| beebeepka wrote:
| I don't have a credit card but sometimes I can't even buy a
| game on Steam without using a damn app. Trying to shop online
| has turned from nightmarish to impossible without these apps
| in just a couple of years.
|
| I tried using the site of my bank but I could never make it
| work. There's no fighting it and it sucks.
| AshamedCaptain wrote:
| Most banks in the EU require 2FA _every time_ you use a
| credit card online, due to a EU directive:
| https://en.wikipedia.org/wiki/Strong_customer_authentication
| Symbiote wrote:
| I've started using MobilePay -- the Danish send-money-to-
| anyone-with-a-phone-number system -- rather than a
| debit/credit card wherever it's offered.
|
| I've usually provided my phone number already, as part of
| the delivery address, so it's a click to choose MobilePay,
| another to confirm the number, then I fingerprint-unlock
| the MobilePay app and swipe to confirm the payment request
| that appears.
| rvense wrote:
| It's not really "send-money-to-anyone-with-a-phone-
| number", it's "send-money-to-anyone-with-the-mobilepay-
| app-installed" - and it only works on iPhones and
| unrooted Android phones with Google services enabled.
|
| As someone who doesn't have it, it's very rapidly become
| the thing that makes me feel the most like a second-class
| citizen.
| raverbashing wrote:
| Not literally _every time_ , it has a value threshold (also
| depends on your previous relationship with the vendor, I
| guess)
|
| So, for most purchases it just doesn't trigger
| heavenlyblue wrote:
| Yeah. My TSB bank recently implemented this: - enter credit
| card details on the website - got to the mobile app, enter
| second password - receive an SMS to my phone number with
| 2fa code - login into the app, approve the payment - enter
| first account password - go back to the website and click
| continue
|
| That'a all together with iOS FaceID enabler. Monzo is
| actually way simpler.
| tremon wrote:
| Are you suggesting the parent rely on one US-based oligopoly
| to avoid using another US-based oligopoly?
| jeroenhd wrote:
| My bank doesn't seem to do root detection. I haven't tried it
| on a phone without at least microgapps but I'm pretty sure that
| it just works. Even on LineageOS with root I never really had
| any problems.
|
| I do recall seeing a popup at one point ("hey we see you've
| done some weird shit to your phone, call us if you don't
| knowewhat rooting means" or something like that) but that's
| really just about it.
|
| I should try running it in Anbox, come to think of it. Would be
| a fun experience.
|
| If you're a developer in the EU and you think you can do
| better, the PSD2 system is set up to allow for fintech
| solutions like these. You'll need to get the necessary
| documentation in order, or even a license, to get access to
| actual banking APIs (thank goodness) but from that point on you
| should be able to write your own app. You'll have to be very
| careful, though, you don't want to anger the financial
| regulators.
| rainmaking wrote:
| Which bank is that? My bank sees weird shit on my phone, it
| shuts down with no error message. I want in.
| jeroenhd wrote:
| Your mileage may vary, but https://ing.nl/ has been working
| great for me. Probably not as good outside the Netherlands.
|
| https://https://play.google.com/store/apps/details?id=com.i
| n...
|
| Also, I tried running the app in Anbox but there's no x86
| build of the APK and Google's ARM Android emulator is just
| broken these days, the VM doesn't even boot.
| ThePowerOfFuet wrote:
| Bunq's app works great on GrapheneOS without any Google
| services installed whatsoever.
| xyzzy_plugh wrote:
| You're not wrong, but it's real problem, both technically and
| socially, without much in the way of a good solution. Android
| and iOS provide significant security by virtue of the chain of
| trust running starting with Google or Apple down through their
| software and hardware (Google is a bit special here, I'll
| admit).
|
| This makes it easy for businesses like banks to work with those
| ecosystems and provide a secure experience without inventing
| much themselves. What's the alternative? SMS 2FA is abysmal.
| Maybe they could provide you a configurable webhook, but now
| they don't control the experience, and that's part of their
| requirements. Not to mention I wouldn't trust a bank to
| implement webhooks correctly.
|
| The problem is we're becoming sophisticated enough as a society
| that we are forced to rely on a few establishments to maintain
| that sophistication. Whether it's for chain of security,
| microprocessors, springs in our toasters, it's not possible to
| keep everything open and interchangeable while maintaining our
| current way of life.
|
| I'd love that, but it's not realistic, as far as I can tell.
| mateo1 wrote:
| One thing that can and must be fixed instantly is to
| legislate that these businesses can _not_ deny their services
| to anyone, just like systemic banks and the post office.
| Wowfunhappy wrote:
| > SMS 2FA is abysmal
|
| Is there actually anything wrong with SMS 2FA, other than SIM
| swapping?
|
| SIM swapping isn't a problem with SMS so much as the phone
| carriers, who really need to put stricter processes in place
| for verifying account transfers. IMO, they deserve most of
| the culpability.
| justsomehnguy wrote:
| Have only a small amount of money on you regular account
| for the everyday means, with all the money on another
| account whatever.
|
| Lose your wallet with cards, lose your phone (or just a
| phone with Apple/GooglePay). Get a replacement SIM, be
| locked out of receiving any SMS for 24h[0]. Now be
| somewhere where is no local branches of your bank.[1] Or
| even better - be abroad.
|
| Or just be in a taxi at 9PM when no one works and the bank
| locks you out - just like when it happened to me. Gladly I
| found an ATM where I could withdraw from a secondary
| account.
|
| [0] Actual practice of cellular operators in my country.
| _Safety_
|
| [1] Even better with the virtual banks without any.
| Thlom wrote:
| In Scandinavia we have BankID which kind of uses SMS, but
| not quite. When I try to authenticate it sends a message to
| my phone and then I have to type in my 4-8 digit pin code
| on my phone. Apparently they have put a tiny application on
| the sim card, so sim swapping isn't an issue. Whenever I
| get a new sim card I have to authenticate the sim card
| using my hardware token and password.
| Ekaros wrote:
| Finland I got sometimes SMS in flow. For bank login it is
| account and password, then one time code. Then when
| making transaction getting SMS with which one time code
| to enter. And then when paying with confirmation same
| thing but just with SMS code.
|
| I don't really see point of SMS in flow, but hey I can
| somewhat live with it.
| rsync wrote:
| "What's the alternative? SMS 2FA is abysmal."
|
| It seems to be forgotten that _email 2FA exists_.
|
| I can't quantify the risks relative to SMS 2FA because there
| are such broad ranging implementations but given the broad
| adoption of gmail, how many people can really snoop
| unencrypted email traffic at backbone chokepoints ?
|
| There are many cases where I would be perfectly happy with
| the risk profile of _either_ SIM swap attacks _or_ email
| interception.
| jamal-kumar wrote:
| It's a lot easier to compromise an enormous purchased batch
| of email addresses than it is to do SIM swapping attacks on
| that scale
| daveoc64 wrote:
| The main problem with email 2FA is that if someone gains
| access to your email account, they can reset your passwords
| on many sites and services. They can then bypass both the
| password (by resetting it) and the 2FA (by simply reading
| your emails).
|
| Even better, if you re-use passwords, they can use one
| password to access your email account and the service, and
| get the 2FA token via email.
| amelius wrote:
| > The problem is we're becoming sophisticated enough as a
| society that we are forced to rely on a few establishments to
| maintain that sophistication.
|
| Come on, we have open webbrowsers, which are 100x more
| difficult to implement than a chain of trust. Surely,
| somebody could come up with a reliable alternative.
| shkkmo wrote:
| > What's the alternative? SMS 2FA is abysmal.
|
| There are cross platform MFA solutions that could be
| supported. Your guess is as good as mine as to why banks
| don't support them.
| cm2187 wrote:
| Not really a technical challenge. You could force an
| equivalent of POSIX, maybe based on WASM, that smartphone
| makers would be forced to support if they want to sell in
| your region, and forced to support side loading those apps,
| as no government should be subject to the caprices of the
| various app stores. At this point smartphones have a fairly
| mature feature set to expose to the app. That would also help
| with the anti-competitive app store practices.
| AshamedCaptain wrote:
| Before the "standardization" on SMS first and later on
| Google/Apple systems, there were a number of methods, since
| banks did try to do R&D to cut out on fraud:
|
| * One-time-pads (yes, I had a bank that would give me a card
| with 50 codes you were supposed to use once, then go back to
| the branch for more. Didn't last long, though, and was
| replaced with:)
|
| * Reusable codes: bank gives you a card with 50 codes. Bank
| randomly asks you for code number X. X may eventually repeat
| over time. (Bank also tells you your specific card serial
| number so that you can identify them).
|
| * Credit cards housing an actual e-Ink display that would
| give TOTP codes. https://www.e-ink-info.com/e-ink-used-
| create-dynamic-cvv-cre...
|
| * Actual FIDO devices.
| aenis wrote:
| My bank issues a fido device: a card scanner with a built
| in camera that reads qr codes. Excellent tool, but for a
| few years now the bank is actively discouraging its use,
| touting the benefits of apps instead. It costs them around
| 60 euro to issue the device, and, sadly, thats incentive
| enough to advocate less secure solutions. When they take it
| away from me, I am out of options as this is the last bank
| in my country that issues them to individuals :-/
| teekert wrote:
| Rabobank? Yes it's nice but I always find it a pain haha.
| 60EUR wow, when they were first send around they very
| easily gave me 2 extra to put at work etc.
|
| What about N26, I don't remember needing the app and I
| can log into a website. Not sure though...
| polskibus wrote:
| Why is SMS 2FA abysmal?
| Terretta wrote:
| _Dutch digital identity verification system DigiD has announced
| the phasing out SMS as second factor. That way they require
| citizens to install a smartphone app in order to use digital
| services from the government, municipalities, the health sector
| and others. These applications only work on iOS and Android
| phones, with reliance on third party services._
|
| _Plenty of members of our community choose not to use a device
| that is tied to vendor-specific services._
|
| What does phasing out of SMS have to do with this? SMS is using a
| device (SIM or eSIM) that is tied to (wildly insecure) vendor-
| specific services.
|
| Further, a decent alternative, TOTP, is not iOS or Android
| specific. Nor are Yubikeys.
|
| It's unbelievable to me how many people's accounts are tied to,
| and have been reassigned to bad actors by, their telco, and yet
| banks still think this is a lovely idea.
|
| Pretty convinced the survival of SMS as 2FA is, as made clear by
| FB among others, excused "because we take your security
| seriously" but actually implemented for tying you to your data
| master record.
| jeroenhd wrote:
| TOTP is easily phished and the Digid app is using a sort of
| challenge/response system that shows you the government service
| that you're authenticating to. It can still be phished, but
| nobody is applying for government grants by faking a tax
| service login page if you're not ignoring the screen in front
| of you.
|
| I don't know a second factor standard that provides the same
| level of validation. FIDO2 is probably more secure but it
| doesn't support the current security mechanisms already in
| place right now. I'd like the standard to be extended in some
| way, like Yubikey-like devices with screens to verify what
| you're doing with the necessary key attestation for government
| services, but we can only wait and see.
|
| I'm not sure if these apps require Google Play services or not,
| but if they don't, I have no problem with them from a privacy
| perspective. You can run them in Anbox if you want and they're
| some of the lowest permission apps I have on my phone.
|
| The real victims of this move aren't the privacy enthusiasts
| who run Qubes on their coreboot-enabled Thinkpads, they'll find
| a way. I'm worried about the elderly and other less technically
| minded who have no idea how any of these apps work. The
| government doesn't provide them any courses on how to use their
| services and neither do the banks. The layout and flow of the
| official apps keep changing and it's impossible for some to
| keep up. People say "well you should just Google it then" but
| that's even worse, because that's the easiest way to get
| scammed out of your money. Someone will definitely have paid
| top dollar for an ad that matches keywords like "how to log
| into bank" leading to a step-by-step guide on how to transfer
| all your money to a money mule.
| thingification wrote:
| > FIDO2 is probably more secure but it doesn't support the
| current security mechanisms already in place right now. What
| do you mean by this? What security mechanisms, and why does
| FIDO2 need to support them?
|
| There's also U2F of course, but in the absence of more
| pressure I guess that everybody who was using that will use
| FIDO2 or nothing (seems like a regression from my point of
| view - I don't have any need for passwordless login).
|
| > The real victims of this move aren't the privacy
| enthusiasts who run Qubes on their coreboot-enabled
| Thinkpads, they'll find a way. I'm worried about the elderly
| and other less technically minded who have no idea how any of
| these apps work.
|
| The real victims aren't any individual but society - the real
| problem is destabilisation through centralisation of power.
| theragra wrote:
| In Latvia, we have multiplatform app that can read e-signature
| from your ID card. Not ideal, but still what author would
| approve, I think. I'd prefer 2-FA using code generator.
| aaomidi wrote:
| The problem with these also end up being like. Does that app
| share info with third parties? Who made the security chip in
| the IDs. How fast are the IDs replaced when vulnerablities are
| found?
|
| I don't really get putting cryptographic IDs into citizen
| identification. There's not much it provides other than, "well
| someone had this ID and knew some pin when this ID was used".
|
| The unfortunate side effect of this is, less technical people
| might see a digital signature as a full and complete proof.
| While it definitely is not.
| daveoc64 wrote:
| > The unfortunate side effect of this is, less technical
| people might see a digital signature as a full and complete
| proof. While it definitely is not.
|
| It's far better than the status quo where easily forged
| documents (passports, driving licences, utility bills) that
| have a validity period of 5-10 years are considered
| infallible proof of everything.
| Nextgrid wrote:
| In addition, it being cryptographic could mean that you no
| longer have to share any more data than necessary.
|
| Let's say that you want to implement age verification - all
| you need is for the card to sign a challenge saying that
| the user is old enough (which the backend can verify based
| on public keys published by the government) without having
| the card reveal anything else.
| aaomidi wrote:
| Except people have a much better understanding of how these
| fail which generally makes a lot of the process
| "reversible" with police reports etc.
| farmerstan wrote:
| Google just forced me to identify myself through credit card
| because it threatened to delete one of my kids' gmail accounts.
| Somehow they detected that my kids weren't over 18 and said if I
| didn't register them under my account it would be deleted.
|
| The fact they can figure out my kids' ages based on their online
| behavior, and through their tracking and monitoring is fucking
| chilling. They don't even use Gmail often at all.
| Workaccount2 wrote:
| I would assume they were prompted for their age on youtube.
| farmerstan wrote:
| Your assumption would be wrong. They were never asked their
| age and even if they were they would know to ask me what to
| do because I told them that they would get locked out if they
| put in the wrong numbers. And as expected they can no longer
| post to YouTube for some reason even though there are plenty
| of YouTubers below 13.
| scarface74 wrote:
| So you're complaining that Google is trying to follow the
| law and you're making your kids lie about their age?
|
| You don't see the problem with this?
| Nextgrid wrote:
| Nowadays you have to lie about a lot of things if you
| want to use the internet efficiently (or sometimes _at
| all_ ).
| scarface74 wrote:
| So you mean a government regulation by politicians made
| the internet worse? You don't say...
|
| See also, the millions of cookie banners that infest
| every web page because of the EU.
| beebeepka wrote:
| You know damn well the cookie banners are only required
| for websites that are tracking users.
|
| It's not about using cookies
| scarface74 wrote:
| No, the banner disclosures are only required because a
| bunch of technologically inept politicians required it.
|
| Have they made browsing the internet better? Have they
| decreased tracking?
| Aachen wrote:
| Ads and spam is what's ruining everyone's experience. If
| we would pay for services rendered then there is no need
| for tracking. If we could effectively prosecute and/or
| block spammers then there would be no need for anti-spam
| algorithms (from email to services like twitter and
| discord, iirc yesterday there was a thread about
| automatic bans based on secret algos with no recourse).
|
| Government regulation is an attempt to make people aware
| this tracking exists: every time you see a wall, that
| means the site requires a level of tracking for which
| there exists no legal basis other than consent, thus it
| has to ask you if you're okay with that (like any ethical
| site should do anyhow).
|
| Automated decision making is also part of GDPR but
| unfortunately is very very weakly implemented. Basically,
| companies just have to tell you it exists (if and only if
| it has a significant impact on your life), and then your
| only recourse is to request a human in the loop, and they
| will just press the same button as the AI did and you
| have no idea if they even looked at your case because the
| decision making doesn't have to be transparent. And
| that's only for important life things, none of this even
| applies to being banned from google account unless you
| sue them and get the judge to agree this has a major
| impact on your life.
| scarface74 wrote:
| I do. I pay for a both a phone (Apple) and Office Suite
| (Microsoft) that's not created by an adTech company.
|
| How is any of the GDPR actually working out? Has it made
| a difference? Has it made the web better or worse?
|
| As far as depending on Google - don't?
| sjroot wrote:
| Based on Google's documentation on supervised accounts [1],
| sounds like your child is/was under 13?
|
| They don't have these checks in place for the fun of it.
| They're usually legally mandated, otherwise some parent will
| sue them because "Google exposed my child to X Y or Z"
|
| [1] https://support.google.com/families/answer/7106787?hl=en
| farmerstan wrote:
| The issue isn't with the registration, which is another issue
| altogether. It's with them tracking the behavior somehow and
| then deducing their age to such confidence that they
| threatened to delete their account in 14 days. It wasn't a
| guess.
|
| And yet they are so fallible in their other forms of
| detection like fraud that lock people out of their accounts.
| The entire thing is creepy and maddening at the same time.
| vxNsr wrote:
| Most likely your kid was asked their age to access
| something and was honest.
| trasz wrote:
| It's a bit unfortunate that we need to teach our kids to
| lie to service providers to be safe.
| woeh wrote:
| This is such a problematic mechanism. What if your bank
| requires you to KYC with a passport in order to get a credit
| card, and Google requires a credit card like you mention? If
| your passport is expired you might find yourself in a catch-22
| between Google, your bank and the government.
| AshamedCaptain wrote:
| Google frequently thinks I'm a minor, despite the fact my
| Google account is by now almost 18 years old (opened back when
| Gmail was invite-only).
|
| I think their system just blindly classifies every account as
| minor unless they purchase something.
| blippage wrote:
| And then they (in the UK, at least) issue debit cards that you
| just swipe to pay. No authentication whatsoever.
|
| Otters banging rocks, my friend, otters banging rocks.
| jlokier wrote:
| There are small limits to the amounts and total you can spend
| by swiping this way, and then you have to authenticate by
| another method to reset the swipe block, so the possible
| financial damage is limited.
| Aachen wrote:
| To have a valid train ticket on your phone (for those without
| printer), you are also required to accept the google or apple
| terms of service and privacy policy. You can download a pdf
| ticket, but the data matrix on there is only valid if you print
| it out!
|
| Last year a big hosting company in the Netherlands introduced a
| requirement for existing customers to accept the Google TOS/PP
| before being allowed to log in. Support of course did not see the
| issue, like literally could not find it. I had to send them
| screenshots with markings before they saw that the google captcha
| they had introduced includes some small gray links.
|
| This might not even be such a big deal if the privacy policy
| explained the data sharing that will actually happen. Rather,
| there is one fairly short document that applies to literally
| everything from hosted email to captchas to hardware in your
| home. Thus it has to say that they will use all gathered data for
| basically any purpose. Something tells me this cannot possibly be
| legal (iirc GDPR requires specific and understandable language),
| but that's the state of affairs.
|
| (Another interesting example was me asking in a chat with ~100
| people whether anyone had read the TOS update yet from our broker
| --the place where you keep your pension money and stuff. The only
| reaction I got was "anyone reads that? xD".)
|
| Kinda bothers me that everyone is just going along with any terms
| for convenience. It's ripe for abuse and doesn't have to be this
| way.
| DharmaPolice wrote:
| The TOS thing has surely reached the point where it's simply
| not reasonable to expect people to read them. Put another way -
| how many people read every single terms of services / privacy
| policy / end user licence agreement they see in full? I would
| be shocked if it's more than one in a million. Depending on the
| services you use (and how frequently they update them) this
| could require dozens of hours of reading every single week (and
| many more hours of analysis to fully understand them if that's
| even possible without training).
|
| Legislation asking (indirectly) that companies shove even more
| of these "Click here to read our cookie policy" type messages
| into everyone faces has only made the problem worse.
| Aachen wrote:
| > Legislation asking (indirectly) that companies shove even
| more of these "Click here to read our cookie policy" type
| messages into everyone faces has only made the problem worse.
|
| Disagree here. It's not gotten worse, it's gotten more
| visible. It's only ethical to ask people before tracking
| them, so any site should have done this already. This
| legislation forces businesses to act more honestly towards
| users in this regard.
|
| Businesses impacted then take this and frame it in a manner
| of "we're very sorry that your government forces us to annoy
| you with this, but if you'd just sign here we'll be right out
| of your way..." and the vast majority of techies swallow it
| because it is, indeed, annoying to have to sign away privacy
| again and again.
|
| It doesn't have to be this way. See the omission of a cookie
| wall on various sites that don't do anything that requires
| special consent.
| ezfe wrote:
| >To have a valid train ticket on your phone (for those without
| printer), you are also required to accept the google or apple
| terms of service and privacy policy. You can download a pdf
| ticket, but the data matrix on there is only valid if you print
| it out!
|
| How does this even work? QR codes don't magically change when
| they're printed.
| schroeding wrote:
| They are just not accepted by the conductor. But those
| policies can also change in the (IMO) "right" direction, e.g.
| the German Deutsche Bahn changed their policies a few years
| ago and now digital tickets are accepted[1] in PDF form on
| digital devices, while they previously were not.
|
| [1] https://community.bahn.de/faqs/muss-ich-mein-online-
| gekaufte... (german source, just saying that it can be used
| in the app or in PDF form on your smartphone, tablet or
| notebook)
| Aachen wrote:
| > How does this even work? QR codes don't magically change
| when they're printed.
|
| Tell me about it.
|
| Or, wait, tell _them_!
| m-s wrote:
| It's fine to present a pdf, as long as it's legible and the
| code can be scanned.
|
| > Het E-ticket dat wordt geladen op een mobiele telefoon,
| tablet of laptop is alleen geldig als vervoerbewijs als het
| duidelijk leesbaar weergegeven kan worden op de mobiele
| telefoon, tablet of laptop.
|
| https://www.ns.nl/binaries/_ht_1553092893605/content/assets/...
| Aachen wrote:
| Literally on the PDF ticket it says it is _only_ valid when
| printed out in full or when loaded in the app that can only
| be gotten legally through google or apple.
| yunohn wrote:
| Yeah I've shown PDFs before, and as long as the QR code is
| scannable the NS conductor doesn't care.
| thingification wrote:
| > To have a valid train ticket on your phone (for those without
| printer), you are also required to accept the google or apple
| terms of service and privacy policy. You can download a pdf
| ticket, but the data matrix on there is only valid if you print
| it out!
|
| It seems that requirements to "consent" to TOS for things like
| major transport systems (government or not) or government
| health services (NHS services in the UK for example) just
| aren't consent in anything but some technical legal sense.
|
| > Kinda bothers me that everyone is just going along with any
| terms for convenience. It's ripe for abuse and doesn't have to
| be this way.
|
| I think it's not so much convenience as a change in the laws of
| the game? With TOS presented human-to-human, people in the past
| would have been more likely to react in a human way to the
| _person_ offering them the TOS, businesses and governments
| would be constrained. Even if they got TOS in the post, there
| was a human in the loop to complain to and argue with. With TOS
| online, it 's a fait accompli, which changes the costs to both
| parties.
| motohagiography wrote:
| It's disingenuous to say citizens are being forced through
| google/apple for identity, when all govt services are now
| partially online, and we need a way to do identity, and
| federation with identities people already use and leveraging
| their authentication - and then adding proofing on top of that,
| is the most privacy protecting way to approach it.
|
| Have been an architect on citizen identity schemes, and the
| conversation in govt that happens is mainly about whether to
| design and impose a new card based system (or similar) that has
| every forseeable feature they might need for the next 15-20 years
| it will take to get them out of circulation, and then write a
| gateway for it that applications have to integrate with - or
| federate to peoples' existing IDP's like banks, social platforms,
| and mobile devices using open protocols for authentication (SAML,
| OIDC), and then kick the can down the road on identify proofing
| for those credentials.
|
| There are obviously tons of other factors and moving parts, but
| resolving this conversation within institutional governance
| frameworks is pernicious. A great example is that the legislative
| mandates of different government agencies may prevent them from
| sharing information about a citizen between them - because from a
| privacy perspective, there is no reason one agency should be able
| to use others to collect intelligence about you, because their
| only job is to provide you a service, and that is strictly
| prescribed.
|
| The way we did it for federal services was a SAML federation
| between online banking and the federal government login, using a
| proxied MBUN (meaningless, but unique number), which has been in
| operation for over a decade and has been an acceptable privacy
| solution for all involved.
|
| We don't have universal domestic identity cards in Canada
| because, like Germany, and other countries post WWII, we have a
| memory of how internal passport systems get used. The internal
| vaccine passport scheme for covid is wildly out of line with
| privacy legislation and outside the remit of government to
| institute in many ways, and was pushed through using emergency
| powers, and you can see how it has lost some momentum, but be
| assured, it will be back, this isn't their first rodeo trying to
| get national identity cards imposed, and these people never seem
| to give up.
|
| We have a public health care system with cards for every eligible
| citizen, but the legislation for the cards explicitly defined the
| ID cards as not legal to use as any other form of identification
| (which again, may have changed during the pandemic), because
| using healthcare to impose a national identity system has
| historically (80s, 90s and into 00s) been seen as totalitarian,
| literally, the gesunteitpass/ahnenpass of a former age. Canada
| was where people escaped to from those regimes in the 20th
| century, and memory of them is still part of the national
| culture.
|
| Also, where do you think identity comes from? Your name is from
| your family, birth certificate is issued through a hospital, your
| baptismal certificate by a church, your childhood vaccination
| cert by a municipal public health unit, drivers license by a DMV,
| your tax id and passport through a federal govt service, etc.
|
| Your "identity," is not a document or a real thing, but rather,
| attributes associated with relationships, and even if we use
| biometrics and tag a guid to that and put it on some stupid
| immutable blockchain, it is still an artifact of relationships
| that are not the same for everyone. Anyway, there are maybe 1000
| people in the world with similiar knowledge on this topic as
| mine, so please, AMA.
| Beltalowda wrote:
| > We don't have universal domestic identity cards in Canada
| because, like Germany, and other countries post WWII, we have a
| memory of how internal passport systems get used.
|
| Germany does have national identity cards though.
|
| The whole "no ID card" is a very peculiar Anglo-Saxon thing:
| US, UK, Ireland, apparently also Canada. Of course, you have
| passports and driving licenses, so _effectively_ almost
| everyone does have ID, just less conveniently.
| ovi256 wrote:
| France also has a new initiative to replace the old SSO for all
| gov services (FranceConnect) with a new system called France
| Identite, that also seems dependent on smartphone apps, so
| Google/Apple:
|
| https://france-identite.gouv.fr/
|
| The old system worked fine and will still be necessary for the
| people who can't enroll in the new one, like resident foreigners
| who won't get a French biometric ID card.
|
| One has to dig a bit, but as the proposed workflows use a
| smartphone app, it looks to be dependent on the Android/iOS
| platforms.
| seszett wrote:
| That website explicitly says that it will not _replace_
| FranceConnect and other identification options and will never
| be mandatory or the only way to identify, though. Maybe you
| think they 're lying on the website and have ulterior motives,
| but they explain it as just an additional identification option
| for FranceConnect. I'm welcoming it because I find it absurd to
| use my social security login to identify for asking for a birth
| certificate, and chip ID cards are the obvious thing to use for
| identification with public services.
|
| It looks a bit like what we also have in Belgium, but with more
| (or different) options and with an app that is not privately
| owned at least.
| AshamedCaptain wrote:
| Note that the original gov proposal was shot down by the French
| CNIL (translates to ~ national comission for computing &
| freedom). The new one seems to be basically a QR code only, so
| it basically can "run" on anything capable of showing a pixmap,
| albeit I am yet to understand what exactly it is.
| throw7 wrote:
| They should've supported TOTP, then phased out SMS. I mean, they
| should still add support for TOTP, but thumbs up their asses.
| stevespang wrote:
| donalhunt wrote:
| The Irish government attempted to introduce an ID scheme through
| a back door and got their knuckles rapped by the Data Protection
| Commissioner here due to a number of reasons (lack of information
| regarding what citizens were signing up for and how their data
| would be shared; lack of legislation to support such a
| card/database; lack of rationale for more or less indefinite
| retention of your most personal information).
|
| One outcome of the legal cases and appeals is that any government
| organisation using the card / database for identity verification
| (lots tried to make it the only form), must make an alternative
| approach available that is as convenient. The reality is that the
| alternatives usually require you to present in person and
| staffing levels have been lowered during COVID / because many
| people have switched to the digital system.
|
| So there is a trend across Europe to implement this. I personally
| feel, that in many cases the investment in digital solutions is
| worthwhile (it's painful watching government employees type in
| information that the organisation already has access to - wastes
| time for everyone). BUT... It has to be done in an open,
| transparent and legal manner.
|
| Highlighting the issue at an EU level, may result in frameworks
| that deliver the best solution for all EU citizens.
| consp wrote:
| When (and if) the government finally opens up the eHerkening
| (commercial part available for companies, not for personal use)
| to all people you can chose your own identity provider. This has
| been going on for years now and unfortunately it's not looking to
| go anywhere since new EU legislation is forcing it to the
| background for personal use.
|
| Iff this would have been opened up a third party provider could
| make something available on any platform (with requirements of
| course). Won't solve the problem but at lease someone would be
| able to instead of no-one.
| Wowfunhappy wrote:
| Are there any potential legal issues with requiring citizens to
| sign a contract (the Google or Apple Terms of Service) in order
| to access government services?
| Beltalowda wrote:
| It's not strictly "required"; you can just do things the old
| way; I don't even have DigiD, although quite a few services
| just _assume_ you have it and will send you "post" over it,
| which I then can't read. It took me about a week of
| communicating and 15 emails with my health insurance to get
| them to send me post.
| alpaca128 wrote:
| So if you're permabanned by Google and Apple (which isn't that
| far-fetched) you're out of luck?
| kingcharles wrote:
| Yes, at this point I guess you'd have to just visit your bank
| branch to conduct transactions, or perhaps phone banking.
|
| I remember once when my bank didn't trust me enough to even
| have a debit/ATM card and forced me to go into the branch and
| queue up and show ID just to get my own money out of my
| account.
| CGamesPlay wrote:
| I wonder if such a ban would give you legal grounds to
| prosecute Apple and Google for preventing you access to these
| digital services?
| ar_lan wrote:
| But these services are forcing you to use Apple/Google -
| Apple/Google aren't imposing that requirement.
|
| If anything it'd probably give better grounds to prosecute
| the services that require Apple/Google.
| vorpalhex wrote:
| Your suit would be against eg your bank for failing to
| provide you obtainable access, but you are likely to find it
| not a winnable case if you've signed any sticker contracts.
| IshKebab wrote:
| I don't think it's unreasonable to require NFC reading, given
| the security advantages. The real issue is that Apple forbid
| side-loading and their Android app uses Google Play Services.
|
| They should remove the dependency on Google Play Services, and
| probably publish the API details for any enterprising Linux
| nerds that want to make an app. If they did those two things I
| don't see any grounds for complaint.
| t0mmyb0y wrote:
| hagen2022 wrote:
| After attending many fsfe events I am a bit annoyed as they do
| all these statements but nothing fruitful comes out. Telling
| common man/woman these is not helpful. Many of fsfe people
| themselves use G-Pay etc.
| markus92 wrote:
| Devil's advocate here; Do I want my tax money to be used to
| create an app for an extremely niche group of people? (i.e.
| people who have a smartphone but not regular Android/iOS). How
| many people are we talking about, a few thousand on a population
| of 17 million?
|
| We're not talking about unavailability of government services,
| there's still a process available, the analog one.
| RealStickman_ wrote:
| Why not use an existing open standard like TOTP instead of
| creating a custom app? Seems less of a hassle to me.
| markus92 wrote:
| They actually answered that, something with the user
| experience of using two apps and TOTP not meeting
| requirements for the highest eIDAS level. See interview here
| (in Dutch): https://www.security.nl/posting/701749/Security_N
| L+spreekt+m...
| thingification wrote:
| Sorry to keep posting this same sort of comment here, but:
| does that say anything about U2F or FIDO2?
| Beltalowda wrote:
| No; just TOTP.
| thepra wrote:
| In Italy we're already in quite similarly bad situation,
| following is a list of third-party "services" used inside PosteID
| https://play.google.com/store/apps/details?id=posteitaliane....,
| one of the most used apps for gov. authentication:
|
| Libraries: Adobe Experience Cloud, Google AdMob, Google
| CrashLytics and Google Firebase Analytics
|
| Domains catched so far: ajax.googleapis.com
| android.googleapis.com auditrecording-pa.googleapis.com
| clientservice.googleapis.com connectivitycheck.gstatic.com
| crashlyticsreports-pa.googleapis.com deviceintegritytokens-
| pa.googleapis.com doc-0k-ac-docs.googleusercontent.com
| firebaseinstallations.googleapis.com lh3.googleusercontent.com
| www.googleapis.com assets.adobedtm.com oms.dowjoneson.com
| 2.bp.blogpost.com firebase-settings.crashlytics.com
| s.webtrends.com statse.webtrendslive.com
|
| To sum it up: googleapis, gstatic, googleusercontent, adobedtm!,
| dowjoneson?, blogpost!, crashlytics, webtrends, webtrendslive
|
| Plus, the system is based on providers, so you have to go through
| many burocratic steps to get recognized and then you pay-per-
| user/year that can go up to 7 Euro/user
| kleiba wrote:
| If you're interested in these kind of issues, rms has been
| collecting them for years on his website.
| theiz wrote:
| There is the big blind spot for governments. Tried to get
| attention to this too with the covid QR system: they say it is
| safe for privacy, but it demands you to use an app for that on a
| smartphone (the paper alternative is not privacy friendly). It is
| denied and ignored and continues to be a focus point for the EU.
| dane-pgp wrote:
| > In the mean time there was also a desktop application available
| to read out the NFC chip of an identity card. This app is only
| available through the Windows 10 app store. With all my computers
| running Debian or Ubuntu, that was no option for me.
|
| I fear this isn't a temporary oversight but a sign of the long-
| term trends towards governments only supporting the major
| platforms. Those platforms will then complete the _quid pro quo_
| by "voluntarily" banning apps that the government doesn't
| approve of, like bittorrent, Tor, E2EE messengers, VPNs, etc.
| arthurcolle wrote:
| I mean couldn't you just run Wine or something?
| Bedon292 wrote:
| If its only available to get through the Windows App Store,
| is that even possible to do? I haven't actually used Wine in
| a very long time, so I don't actually know how that would
| interact with the App Store.
|
| Then there is the question about interacting with the
| hardware for reading the card as well.
| usrn wrote:
| App store says WPF to me which won't work in Wine.
| jeroenhd wrote:
| You don't need to use UWP/WPF/whatever it's called these
| days to get the application into the MS Store. Good ol'
| Win32 programs can be packaged and distributed through
| there as well.
|
| Microsoft wants you to use their new APIs but they realised
| they couldn't force developers to do that. With their
| efforts for a mobile phone operating system dead in the
| water they've been more accepting of normal applications
| for a while now.
| dane-pgp wrote:
| That's a good point, at least for the immediate problems, but
| I suspect that in the longer term, governments will make
| their apps check for genuine Windows/macOS installs using
| remote attestation, like some online games are already doing.
|
| https://arstechnica.com/gaming/2021/09/riot-games-anti-
| cheat...
| krono wrote:
| Roll over and play dead often enough, and eventually the
| world around you will just assume you don't care and stop
| bothering to even inform you of the upcoming tricks they'll
| be requiring you to perform.
| belter wrote:
| This is miles from a temporary oversight. In the Netherlands
| unchecked citizen surveillance is the norm, and that has
| nothing to do with being a democracy. The same way the US
| "still" is a democracy but unchecked surveillance is pervasive.
|
| "Dutch civil servants used social media to spy on citizens,
| says study"
|
| https://www.euronews.com/my-europe/2021/05/19/dutch-civil-se...
|
| "Dutch secret service 'also has access to information from
| PRISM'":
|
| https://news.ycombinator.com/item?id=5860215
|
| "The Netherlands, a surveillance state?" (2017):
|
| https://www.ictrecht.nl/en/blog/the-netherlands-a-surveillan...
|
| "Sweeping surveillance powers planned by Dutch government" -
| "The Netherlands is already the most heavily phone-tapped
| country in the world" (2016)
|
| https://www.irishtimes.com/news/world/europe/sweeping-survei...
|
| "With a population of 17 million, the Netherlands is already
| the most heavily phone-tapped country in the world - with about
| 26,000 taps granted to the police and other agencies, excluding
| the security services, every year, according to figures from
| the Department of Justice."
|
| The author of the article just made himself part of this
| list...
| mschuster91 wrote:
| > "With a population of 17 million, the Netherlands is
| already the most heavily phone-tapped country in the world -
| with about 26,000 taps granted to the police and other
| agencies, excluding the security services, every year,
| according to figures from the Department of Justice."
|
| Not surprising, given that the Netherlands is _the_ major
| port of entry for drugs into Europe - alone the port of
| Rotterdam had cocaine seizures worth 5 _billion_ euros in
| 2021 [1], and Europol estimates 1500 distinct criminal
| organizations in the cocaine trade.
|
| [1] https://www.nrz.de/region/niederrhein/rotterdamer-hafen-
| koka...
|
| [2] https://www.nzz.ch/international/die-niederlande-sind-
| fuer-d...
| trasz wrote:
| In other words all this surveillance is done for a useless
| purpose?
| jthrowsitaway wrote:
| Glad to hear that this is all in the name of the war on
| drugs. /s
| pessimizer wrote:
| It's difficult to molest a child over the telephone.
| tomrod wrote:
| Purism, framework, and similar are coming at the right time
| then, eh?
|
| Most recent government services operate via the web or APIs
| anyhow.
|
| Plus suing for alternatives to Google/Microsoft duopoly should
| be front and center for fringe firms in the space.
| argomo wrote:
| Probably too late, honestly, but still worth trying.
|
| Honestly, FirefoxOS received a lot of flak for not "focusing
| on their browser", but if it had succeeded it would have been
| a huge win for digital freedom and privacy.
| thesimon wrote:
| Germany supports ID card reading on almost all distros:
| https://www.ausweisapp.bund.de/en/open-source-software
| AshamedCaptain wrote:
| These "smartcard" ID systems (which were reasonably open) are
| getting deprecated all over the EU in favor of smartphone-
| based solutions.
| monkeybutton wrote:
| Out of paranoia, I do all my piracy on a completely different
| machine than all my banking, taxes, official stuff anyways.
| Which is also a separate machine than the one I use for work..
| How many devices does one person need?
| fsflover wrote:
| You only need one machine running Qubes OS: https://qubes-
| os.org. Works for me.
| spotlesstofu wrote:
| Government ID providers in Italy lock people to proprietary apps
| even when all they need is the most ordinary TOTP
| https://blog.jacopo.io/en/post/spid-google-authenticator/
___________________________________________________________________
(page generated 2022-05-09 23:01 UTC)