[HN Gopher] EU age verification app not planning desktop support
___________________________________________________________________
EU age verification app not planning desktop support
Author : sschueller
Score : 428 points
Date : 2025-09-24 11:52 UTC (11 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| emigre wrote:
| This is outrageous and doesn't make sense
| nicce wrote:
| Depends on whom you ask. Google introducing the developer
| verification and sideloading on iOS being even bigger hurdle,
| they want to stay in control on what you use and they want to
| make sure you don't have possibility to use anything they
| explicitly permit. Normal desktop is unfortunately too open for
| that. Discourage people to use desktops and make rely on
| controlled gardens even more.
| throw834920 wrote:
| It makes total sense. The whole point is to punish self-
| respecting people who use freedom preserving operating systems
| and treat them as second class citizens.
|
| See: https://news.ycombinator.com/item?id=44704645
| bilekas wrote:
| This is a great example of how this whole requirement hasn't been
| properly thought out.
|
| > Desktop support is not currently within the project's scope.
|
| What I would like to take from this is that, by their own
| definition, desktop apps are out of scope for Age Verification.
| So does that mean we will see a return of the 'desktop
| applications' instead of everything being a web service ?
|
| One can dream perhaps. Until then adults who are willing to 'do
| what they're told' will be the ones who are inconvenienced by
| this constantly.
|
| Edit: Also this will completely disable any new phone OS' being
| developed. Why would anyone bother when you can't verify your
| wallet to do anything online.
| Luker88 wrote:
| > oes that mean we will see a return of the 'desktop
| applications'...?
|
| No. It's still required by law, which means that your desktop
| application will require some interaction with your smartphone.
| cenamus wrote:
| Further forcing everybody to have their phone on person at
| all times
| pessimizer wrote:
| I've been saying this for years: eventually not having your
| phone on you and powered up at all times will not be a
| crime, but it will be grounds for questioning and search.
|
| One day, there will be a knock on your door.
|
| "Good morning, this is the police. Is there something wrong
| with your phone? Is your phone broken? Can we provide you
| with a charge?"
|
| "No, I must have turned it off accidentally."
|
| "Can we assist you with an upgrade? The newer models don't
| have power buttons."
| BolexNOLA wrote:
| _The Pedestrian_ : https://xpressenglish.com/wp-
| content/uploads/Stories/The-Ped...
| sjw987 wrote:
| I think you're exactly right, and the groundwork is being
| laid today by the standards society is setting for
| everybody. People will assume a lack of phone or the
| presence of a phone but lack of usage / content on it,
| makes you guilty of some sort of crime similar to owning
| a burner phone.
|
| Tell somebody you use your phone less than 10 minutes a
| day and look at their face change.
| thewebguyd wrote:
| > Tell somebody you use your phone less than 10 minutes a
| day and look at their face change.
|
| While not less than 10 minutes per day for me, but I was
| having this argument on reddit over the iPhone Air -
| people couldn't fathom that there's someone out there
| that is not on their phone 24/7, and doesn't use their
| phone as their main computing device.
|
| I clock in at under an hour screen time most days. It's
| the least ergonomic device for me to do anything remotely
| serious. Can't even stand typing on a virtual keyboard.
| My laptop is, and will remain, my main interface to the
| net and communication with others.
|
| You'd think I was some kind of weird hermit luddite
| because of it.
| fhdkweig wrote:
| According to Mallen Baker, this is already happening in 9
| countries. https://youtu.be/0zlDVM1x8P4?t=228
| mhitza wrote:
| Black Mirror "The entire history of you" now in mobile
| app version.
| marcosdumay wrote:
| So... 1984?
| im3w1l wrote:
| What does seem to be happening is rather that the
| assumption of having a phone will be built into every
| little thing - in particular mobile payments are becoming
| mandatory in some places. Transportation including
| parking is sometimes locked behind an app. We could also
| see stuff like landlords moving to smart locks that a
| tenant open with their phone.
|
| Since children are universally not considered real people
| with real rights schools requiring them to have the right
| apps to perform their schoolwork are to be expected.
| nehal3m wrote:
| And as a prerequisite enforcing dependency on titanic (and
| in my case foreign) tech companies that are free to
| unilaterally ban you from communicating with your
| government. This is a BAD idea.
| jeroenhd wrote:
| Depending on the implementation, you can run the app on
| your computer. I don't see why the iOS app wouldn't work on
| macOS, and there are tons of tools to run Android apps on
| Windows and Linux.
|
| If the actual implementations do copy the dependency on
| Play Integrity and other such APIs, that does become a
| problem (getting past that is a major annoyance on amd64
| computers because there are so few real amd64 Android
| devices that can be spoofed).
|
| However, the law regarding these apps specifically states
| that the use of this app must be optional. I'm not sure
| websites and services will implement other solutions, but
| in theory you should not need a phone unless you want the
| convenience and privacy factor of app verification. I
| expect alternatives (such as 1 cent payments with credit
| cards in your name) to stick around, at least until we get
| a better idea about how this thing will work out in
| practice.
| Imustaskforhelp wrote:
| Waydroid on linux comes to mind. It sort of semi worked
| out of the box on archlinux but I can't try to imagine
| setting up somewhere else..
|
| Wait a minute, while writing this comment, I realized
| that there was a guy who sort of packaged waydroid into
| flatpak-ish to run android apps in flatpak.
|
| https://flathub.org/en/apps/net.newpipe.NewPipe
|
| (It uses android translation layer??)
|
| I am not an EU citizen but if somebody is & they want
| this age verification app on desktop, maybe the best way
| might be to support this android translation layer to
| convert this EU app into something that can run through
| flatpak and then use linux I suppose.
|
| I mean, some of y'all are so talented that I feel like
| surely someone would do it if things do go this way! So
| not too much to be worried about I suppose :>
| Aaargh20318 wrote:
| The wallet app can be started using a QR code. You can then
| finish the verification on your phone and continue on the
| desktop website/app/whatever.
| snickerdoodle14 wrote:
| How can I do this when I don't have a phone?
| ToucanLoucan wrote:
| Don't you people have phones?
|
| Edit: Sorry that reference was a deep cut, I was quoting
| the devs of that awful Diablo mobile game way back.
| debazel wrote:
| A phone isn't enough, you need an Apple or Google account
| as well. So if your Google account gets banned, you might
| as well just jump of a bridge because it's over for you.
| shmel wrote:
| That is easy to solve though. If Apple/Google become
| essentially an utility, they are legally mandated to
| provide an account for any EU citizen =)
| Imustaskforhelp wrote:
| No? I had been with dumb phone for almost a year from
| like 2024-25? What point are you trying to make as I
| think that there are some good dumb phones in the market
| which even support things like signal.
|
| I used to use the messaging app through SMS tho, the
| people that knew me (that 1 friend gets a shoutout here
| who used to msg me through SMS in the world of whatsapp
| and my mom!!)
|
| Most phones are used for two things that my father used
| to quote: Whatsapp (messaging app) and youtube(social
| media)
|
| Entertainment could somewhat be offloaded via music
| player etc. into dumb phones and to be really honest, I
| think that even things like hackernews could be operated
| on those dumb phones if given the ability to.
|
| https://www.youtube.com/watch?v=QdYrBpBJRI4 : this is the
| dumbphone which supports signal btw. Wish there was a way
| to make app for dumbphones like these just as how we can
| make apps for androids.
|
| I was shocked by how much feature packed my chinese dumb
| phone was for 11.27$ lol. It just didn't have internet &
| yeah games as well.
| slackfan wrote:
| For what it's worth, I chortled.
| hellojesus wrote:
| What if you don't have a phone? Or what if your phone runs
| a custom rom and can't pass google's attlestation?
| Imustaskforhelp wrote:
| "Google, google everywhere. It's attestation is gonna be
| a nightmare."
|
| Idk I created this just right now lol.
|
| But on a serious note, Maybe check out my comment on
| something known as the android_translation_layer with
| flatpak to see if that might help to run that app atleast
| in linux.
|
| Linking it here :
| https://news.ycombinator.com/item?id=45361397
| Aaargh20318 wrote:
| Then you can't use this method of identification, just
| like you can't use it now. Surely it won't be the only
| way to identify yourself online. If this provides a
| frictionless way to do this for 95% of people then it's
| already a huge win.
|
| Don't let perfect be the enemy of good.
| debazel wrote:
| No, this is worse because it solidifies Apple/Google's
| duopoly over the smart phone market even more than it
| already is.
|
| Not only that, but having this locked behind something
| that works for 95% of users means the other 5% will never
| have enough leverage for any other implementations to be
| approved. Which is absolutely unacceptable for such an
| essential feature like age verification.
| Saline9515 wrote:
| The requirement for age id is already stupid.
|
| The target, which are the children who access "forbidden"
| websites without authorization is likely to be lower than
| amount of people who won't be able to access due to those
| narrow specs.
| hellojesus wrote:
| Why can't we continue with an open web standard? We
| should have complete interoperability regardless of
| whether I'm using a google smartphone or a custom os I
| wrote in my garage or bsd or nixos. That is the entire
| point of web standards: to create the ability to
| communicate with one-another regardless of system design,
| so long as standards are properly implemented.
|
| This is a general computing crisis.
| codedokode wrote:
| If you don't have a phone, you cannot create a new Google
| or Vk (social network) account today. I expect there will
| be more things you won't be able to do if you don't want
| to leak your information.
| alerighi wrote:
| This is plain stupid. Countries (e.g. where I live) already
| have systems like SPID or CIE that can authenticate users
| using a multitude of factors, for example I can
| authenticate myself with a QR and a phone, or I can not
| even have a phone at all and have a 20 euros NFC reader
| connected to the PC and can authenticate using my digital
| document and a PIN.
|
| I see this as a huge stepback to be fair.
| izacus wrote:
| My EU country allows tapping the ID card on a NFC reader on
| PC for verification. No smartphone needed for desktop use.
|
| Why wouldn't that be sufficient?
| 201984 wrote:
| Most PCs don't have NFC readers.
| baq wrote:
| No reason that couldn't change. China should give good
| bulk discounts on 300M units /s
| izacus wrote:
| Cool, but that's the fallback they offer for folks who
| can't use the mobile app and it works just fine.
| Freak_NL wrote:
| Don't worry, that feature will inevitably be phased out
| because only a small percentage of people use it.
|
| Every new secure government
| identification/authentication/verification thing will try
| to 'just' use Android/IOS, because 'everyone' has one those
| smartphones.
| qiine wrote:
| This read more like "we thought pc was a dead relic of the
| past" sadly
| amelius wrote:
| I think it's more that smartphones have built in security
| measures that prevent hacking. It already works for bank
| apps, so why not use it for government stuff too?
|
| It sucks, yes, but that's probably how these people think.
| dathinab wrote:
| but if age verification is used for what it claims it is
| such hacking protections are not only unnecessary but
| fundamentally harmful (i.e. if a child hacks their PC it's
| fine if they circumvent age verification, the main
| responsibility still lies with parents and as such tools
| like parent controls are much more relevant)
|
| the main reason is that this is not a reference
| implementations or "this is the app everyone must use" case
| but a "to see what is technical possible/practical"
| "research/POV" project
|
| this also makes the "EU age verification app" title quite
| misleading
| littlestymaar wrote:
| > I think it's more that smartphones have built in security
| measures that prevent hacking.
|
| Which is a joke when you know that most phones in the wild
| are using an obsolete OS version (most of the time due to
| lack of software support from the manufacturer, but
| sometimes because some people just refuse to update because
| updates are in fact downgrades -- looking at you iOS).
| ktosobcy wrote:
| Well, looking around I see more people using smartphones for
| anything and even not having a PC...
| mrweasel wrote:
| I've seen this as well. It's getting increasingly normal,
| but I cannot imagine doing the same myself.
|
| There's a much bigger likelihood of me going back to a
| feature-phone, compared to me starting to use my phone for
| anything but the absolute basics.
| Imustaskforhelp wrote:
| I used to use a feature phone and I genuinely didn't miss
| any of the same things.
|
| my commute is a really long ride and I just don't like
| using my phone in it.
|
| My dumb phone had music system and sd card (I finally
| managed to have that sd card fixed after an year of using
| that dumbphone without even an sd card for music)
|
| I just used to stare into nothingness / surrounding and
| think. (Yes I have edited it because I didn't used to
| think, I used to overthink just as I am doing right now
| lol)
|
| Not that productive, but my current phone is so slow that
| I can't even tell you guys or start telling you. It takes
| me 1/2 a minute just to unlock it and the only thing its
| truly good at is having a music player run and some
| occasional hackernews or pokemon showdown or youtube
| scrolling.
|
| But tbh, I don't have any banking apps etc. so to me
| there isn't thaaat much of a difference. I feel like a
| macbook is genuinely nice as it has that less friction
| and a pc is great too as compared to a phone for the most
| part when I am at home.
|
| My screentime is usually just some shorts that I
| occassionaly watch on phone when I am extremelyyy bored.
|
| I am sad that my dumb phone was in my bag one day and
| then it just stopped (working??) , I swear I kinda regret
| having my dad's old phone. I am not sure how he was even
| using it.
| ktosobcy wrote:
| Same, but I also have other quirks and that doesn't mean
| this is TheTrueWay and everyone should adapt to it :)
| nozzlegear wrote:
| Smartphones are a lot more portable than desktop PCs or
| even laptops. Unless you enter everyone's home to take an
| inventory of their devices, it stands to reason that you're
| going to see more smartphones than anything else by just
| looking around.
| bigstrat2003 wrote:
| Sure, but computers are a lot more capable. Even for just
| scrolling sites, a desktop computer is a superior
| experience.
| mariusor wrote:
| But as long as there are _still_ people using desktop
| computers, removing access from them is an overreach and
| makes these ideas totally undemocratic. I am frankly
| baffled that an organization having the principles and
| know-how of the EU can even think of gating access to
| information with something so slipshod.
|
| The only eventuality where this is acceptable is when
| desktop computers won't even be gated, and then if anyone
| can circumvent the problem with a computer, why is anyone
| even bothering with the whole thing...
| bigstrat2003 wrote:
| > I am frankly baffled that an organization having the
| principles and know-how of the EU can even think of
| gating access to information with something so slipshod.
|
| That doesn't surprise me at all. Principles in a
| government body don't exist. They are all crooks.
| HankStallone wrote:
| It doesn't surprise me either, because I'd never be able
| to use a phrase like "the principles and know-how of the
| EU" with a straight face. (To be fair, you could replace
| "the EU" with almost any large bureaucracy.)
| mariusor wrote:
| Sure. But the EU is not just your average bureaucracy.
| It's an entity that has as one of it's specific goals the
| following[1]:
|
| > combat social exclusion and discrimination
|
| [1] https://european-union.europa.eu/principles-
| countries-histor...
| graemep wrote:
| Any large bureaucracy has similarly lofty official goals
| mariusor wrote:
| I understand we're all old and cynical here, but one of
| the tenets of discussions on HN would be to take
| someone's arguments at face value, so I prefer to believe
| that the EU as an organization actually wants to diminish
| social exclusion and discrimination. I'm not sure if I'd
| give the same credit to any other capitalist entity, but
| the EU does not have the implicit goal of increasing
| revenue for its shareholders to subvert any of the others
| stated.
| graemep wrote:
| Lots of countries have has similar goals and lofty
| promises in its constitution.
|
| I take your argument at face value (in that I take it
| that you believe the EU has that goal at some level). I
| just to not expect it, as an organisation, to
| consistently promote that goal (for much the same reasons
| lots of countries fail to serve their citizens).
|
| Profit making businesses have the explicit goal of making
| shareholders better off. Management usually choose to
| balance this against other goals (ethics, the good of
| wider society, their own interests...), just as the EU
| has the explicit aim you state, but, similarly, has other
| conflicting aims.
| wwweston wrote:
| "They are all crooks" is the motto of another kind of
| personal corruption: the kind where people abdicate any
| responsibility to detail or distinction for the sheer
| indulgence of moral posture without any of the work.
|
| Every time someone says "they're all crooks" they are the
| enablers of crooks. The crooks couldn't do it without
| people like that.
| ktosobcy wrote:
| Are they?
|
| Again - this is only just one of the possible
| implementations of https://ageverification.dev/Technical%
| 20Specification/archit...
|
| It's possible to have others but as POC they are focusing
| on covering the biggest chunk of the population...
| EvanAnderson wrote:
| The vast majority of those people are never going to know
| the freedom and power afforded by using a general purpose
| computer you actually control.
|
| The "war on general purpose computing" need only be the
| waiting-out for those of us who remember actually owning a
| computer to die.
| sjw987 wrote:
| To me it reads that, since many people already believe this
| is more about tracking than safety, they are focusing on a
| device which is the perfect surveillance system, and which
| conveniently already accounts for 7+ hours of many peoples
| daily computer/internet interaction.
|
| A desktop computer doesn't necessarily have a microphone or
| camera, and doesn't necessarily have to be connected to the
| internet. I'd wager most crime, including that which affects
| children is done on "disconnected devices" in this sense.
| sidewndr46 wrote:
| you could pretty much replace the statement with "General
| purpose computing considered harmful"
| qiine wrote:
| or user 'having free will is problematic and unsafe' if we
| want to go even deeper :(
| ethagnawl wrote:
| > "General purpose computing considered harmful"
|
| Even though it sounds like _you_ probably know this, Cory
| Doctorow has been sounding this alarm for years. As usual,
| it seems he was right about the possibility of this being a
| legitimate battlefront in the (actual, non-hyperbolic) war
| on freedom.
| mrtksn wrote:
| App not available doesn't mean age verification not required.
| You can be required to confirm your account from your mobile
| phone or scan some QR code on mobile that will take you to age
| verification session and once completed you can continue from
| the desktop.
|
| I mean, otherwise would be like not being bound to speed limits
| if you don't have a speedometer.
| whatevaa wrote:
| So a loss of mobile phone will mean loss of everything? Maybe
| we should just kill people if they lose a portable mobile
| device which can just stop working by itself? I fully expect
| there to be some idiotic scenarios where to get x, you need
| to already have x.
| zelphirkalt wrote:
| Be as much work as possible in all places, where the
| default option is to do something with your mobile phone.
| If enough people do that, then the alternative to using
| your phone will need to have good process, so that it is
| not holding up everyone else.
|
| If something doesn't work without your phone, report it
| being broken. If they tell you to use your phone, tell them
| you don't have one. If possible, leave their service, if
| they don't care.
|
| We have to make it their issue as much as possible, when
| they try to push their shit onto us.
|
| Surprisingly often there is a workable alternative to using
| ones smart phone. We have to make use of those as much as
| possible, so that the cost for them to get rid of those
| options will be high and they think twice before doing that
| and offending us.
| mrtksn wrote:
| Why would loss of a mobile phone be that dramatic? Go buy a
| new one? Having the equipment in something that requires an
| equipment is pretty reasonable when the price range is
| within the reach of everybody.
| fithisux wrote:
| They will terrorize us like that and then, they will use
| implanted chips. One primary one backup. It is extremely
| rare to lose both. Possibly the primary will be in your
| head.
| Levitz wrote:
| >I mean, otherwise would be like not being bound to speed
| limits if you don't have a speedometer.
|
| That only works in a world in which the government provides
| speedometers, which restrict the vehicle automatically, and
| in this case they refuse to provide them at all for blue
| cars.
| j0057 wrote:
| > Also this will completely disable any new phone OS' being
| developed. Why would anyone bother when you can't verify your
| wallet to do anything online.
|
| This already the case today, you can't run your bank's app or
| government eID apps on anything but Google or Apple devices.
| ale42 wrote:
| True. But it doesn't _need_ to be so, it's actually a
| problem.
| lloydatkinson wrote:
| Back when Microsoft said they were going to let Android apps
| run on Windows before killing it off for I think the third
| time, I was excited that I'd be able to run my bank app on my
| desktop. The app is a simple process to login, but the
| website has about 50 steps to login making it unappealing to
| use (probably on purpose).
| Gander5739 wrote:
| You can, aith Windows subsystem for Android.
| Unsurprisingly, it's not going to be supported for much
| longer.
| worldsayshi wrote:
| I get that it wouldn't be optimal but can you run it on an
| android emulator?
| freehorse wrote:
| True, but there are alternatives to using these services,
| though a bit more inconvenient. What will be the alternative
| to the age verification mobile app?
| logifail wrote:
| > you can't run your bank's app
|
| I _can_ log in to my bank account using my desktop PC
|
| > government eID apps
|
| I _can_ sign into government websites using my desktop PC and
| its smart card reader and my government-issued eID smartcard.
| No smartphone needed.
| tarsinge wrote:
| For now, there is an increasing number of banks and
| government websites that are broken if you are not using
| Chrome or full on requires it.
| agf wrote:
| This has been true since it stopped being true for
| Internet Explorer. I've not noticed any significant
| change over time. I have been using Firefox for over 20
| years.
| okanat wrote:
| Not in EU. Many banks mandate you either have an iPhone or
| Google approved Android as 2FA. Those fucking idiots have
| killed their own competition options.
| Fargren wrote:
| Yes in EU. I'm in Spain and I sign up to several banks as
| well as government sites in my desktop PC.
| yupyupyups wrote:
| My bank (in the EU) has a fully functional website where
| I can identify myself using an offline 2fa device.
| synecdoche wrote:
| Likewise in Sweden. No bank that I'm aware of is limited
| to require mobile only login.
| nextos wrote:
| Some neobanks are limited to mobile-only. The OP's
| statement was too general. It's also true that some
| regular banks are phasing out 2FA via SMS, which is
| outdated per EU regulations, and may not easily offer
| alternatives to their app for 2FA codes.
| Retric wrote:
| That's what competition is for. You can still swap banks
| over such nonsense.
| xxs wrote:
| Of course in the EU - pretty much all Baltic and Nordic
| countries support id cards connected via usb
| GardenLetter27 wrote:
| Nope, Sweden requires Mobile BankID on iOS or Android for
| example.
| Samtidsfobiker wrote:
| BankID has a desktop version, and no site which requires
| Mobile BankID would not allow you to also use the desktop
| version.
| GardenLetter27 wrote:
| But it doesn't support Linux.
| okanat wrote:
| Well not in Germany. Some banks accept their branded
| authenticators, some of them don't.
|
| ING in Germany forces you to either have a single Google
| approved smartphone or a single authenticator, not both.
|
| DKB requires a paid Girocard to use the authenticator or
| a Google approved smartphone.
|
| N26 requires a single phone but they are a bit lenient.
| However they have way too many incidents reported where
| they closed people's accounts without a reason.
|
| The traditional banks have high fees. One pays upwards 10
| - 15 Euros a month for Sparkasse or Commerzbank for a
| simple checking account. Using Sparkasse means you cannot
| deposit money outside county (yes county and country)
| borders. Many traditional banks have high fees for
| withdrawing outside the network.
|
| So one is forced to choose between modern banks with
| better online experience that's tied to Google and Apple
| or a traditional bank with oftentimes awful online
| experience and high fees.
| riedel wrote:
| My German bank started to require an Android or IOS
| smartphone [0]. No dedicated HW, no desktop. I actually
| dumped my well working Xiaomi Phone because it was either
| security or banking.
|
| [0] https://www.1822direkt.de/service/fragen-und-
| antworten/detai...
| okanat wrote:
| I actually considered switching to 1822direkt last year.
| No more!
| generic92034 wrote:
| > So one is forced to choose between modern banks with
| better online experience that's tied to Google and Apple
| or a traditional bank with oftentimes awful online
| experience and high fees.
|
| I do not understand how you are coming to that conclusion
| regarding modern banks. You can use the authentication
| device, which is completely independent of Google or
| Apple.
| johnisgood wrote:
| Which banks? Which country? How do they check and enforce
| iPhone / Google wrt. 2FA? Are you referring to TOTP as
| 2FA?
| pimterry wrote:
| All of them now require some kind of 2FA, everywhere.
| This is due to a legal requirement on all EEA payment
| providers that they require 2FA for almost everything
| since 2020, including accessing your account on their
| website: https://en.wikipedia.org/wiki/Strong_customer_au
| thentication
|
| TOTP codes would be allowed by the regulation, as would
| biometric approaches or separate physical tokens, but in
| practice every bank I've used in recent years (quite a
| few, mostly Spanish but also in Belgium & Switzerland)
| require that you accept a confirmation prompt or similar
| in their app.
| logifail wrote:
| It feels like "gold-plating" of regulations is and always
| has been a significant problem in the EU.
|
| Regulations are written (at EU level) to allow X, Y and
| Z; somehow by the time it's implemented at member state
| level it miraculously only allows only X or Y, and once
| it gets to actual service providers (who've presumably
| been advised by their in-house lawyers that 'Y is bad')
| we end up with a choice of X or nothing.
|
| Then if you ask anyone at EU level what's going on, they
| point to what the regulation says, and everyone shrugs.
| okanat wrote:
| All banks are required to have "safe" 2FA in the EU by EU
| regulation. SMS is banned.
|
| Most banks in Germany, Austria and Portugal default to
| Play Store or App Store apps with OS integrity checks. It
| seems like the Nordic countries have it a bit better with
| the ID reader apps. There are sometimes alternatives and
| some of them require paid subscription.
|
| The apps they require are proprietary. They are not
| generic TOTP generators. Some of them require biometric
| approval. Some just logging in and approving a
| notification. I have seen some generate a form of non-
| standard TOTP. Otherwise I wouldn't complain about being
| locked into Google or Apple ecosystems. They are Play
| Store or App Store apps that require attestation from the
| libraries / systems provided Google or Apple like
| SafetyNet or Play Integrity. Some require strong hardware
| attestation. If the OS is modified, those checks do not
| pass. You cannot use any FOSS system without crazy hacks.
| If the phone is stolen, you have to go through manual
| reonboarding. It sucks when you're out of the country.
| BasilofBasiley wrote:
| >SMS is banned. Really? I didn't know that. Can you point
| me to a document that states that? I'd greatly appreciate
| it.
|
| >SafetyNet or Play Integrity
|
| A few days ago I did inspect the NovoBanco (Portuguese)
| apk, and I did look for SafetyNet specifically. They
| didn't use it. But since I'm not that familiar with the
| android eco-system I couldn't really tell if Play
| Integrity was used instead. But I did find a LOT of HMS
| (Huawei Mobile Services) stuff, and some if it was
| definitely related to security.
|
| I might take a look at it again tomorrow.
|
| I was curious if I could sideload the app without logging
| into a google account, meaning without using google
| services, but all I did was a tiny bit of static analysis
| instead of actually trying it.
|
| If you have any write-ups on crazy hacks for foss
| systems, again it would be awesome if you could share
| them and greatly appreciated. Cheers
|
| Also, is using HMS a normal thing in android development?
| Last I checked Huawei was persona non grata in the west,
| at least when it came to hardware like network equipment
| and consumer devices. I was surprised when I saw HMS in
| the apk.
| BasilofBasiley wrote:
| While everyone took the opportunity to reply to you with
| "Not in my bank/country/to-my-awareness" This is what's
| happening in Portugal:
|
| https://old.reddit.com/r/portugal/comments/1msc886/obriga
| %C3...
|
| Effectively, if the client doesn't download the App, they
| will never be able to log into the homebanking website
| again. The bank enforced this and now if you login
| normally it will redirect to a page where you can
| download the app or use up one of three remaining chances
| to login. I am down to two. From now on, I'm only able to
| use ATM's or go to an actual teller to make payments and
| such. The app requires that I have a Google account or an
| Apple account and I think that's just messed up,
| specially for a Portuguese bank.
|
| The app on the google store is pt.novobanco.nbsmarter if
| anyone is curious. It has interesting permissions as
| well.
|
| Edit: This is the landing page (one login left, oh
| dear...) https://files.catbox.moe/x117iy.png
|
| rsync, here you go:
|
| https://reports.exodus-privacy.eu.org/en/reports/652314/
| rsync wrote:
| Can you expand on:
|
| "It has interesting permissions as well ..." ?
|
| I assume a banking app needs (temporary) permission to
| use the camera for check photos or things of that nature
| ... and possibly (temporary) use of location data.
|
| I would be alarmed if it requested microphone or access
| to either contacts or photo storage ...
| BasilofBasiley wrote:
| I updated the above comment. Cheers.
| eikenberry wrote:
| You say "The bank"... does this mean Portugal only has
| one bank? If not, wouldn't this be a good reason so
| change banks? Maybe to a credit union (bank co-op) if
| they have those in Portugal as the members generally have
| much more of a say.
| BasilofBasiley wrote:
| When I wrote "the bank" I meant, the bank in question,
| which is the one mentioned in the URL. Hope this makes it
| clearer for you.
|
| As for alternatives, yes there are, I'm still figuring
| which ones do not require an app on the smart-phone,
| though.
|
| I believe I've found a fair alternative after asking a
| few friends but, I have to account for other factors as
| well, like, how secure their infrastructure is.
|
| This is because offline 2FA keyfobs were never that
| popular in Portugal (to my knowledge), unlike 2FA via SMS
| which I find less secure that keyfobs, but now with the
| SCA directives from the EU, most banks are jumping on the
| App 2FA bandwagon. Some do offer a government issued
| alternative [0] but it still requires an app. I'd be
| perfectly happy to sign in with my Citizen's ID card
| reader but that is also rarely implemented (bank-wise),
| specially since the Chave Movel Digital app from the
| government [0].
|
| Bottom line, most major banks are going in one direction
| (deploying their own apps onto customer devices), while
| smaller banks are staying put (with SMS 2FA) but their
| security was never that great. So I'm still prospecting
| and yes, there's a bank co-op on my list also.
|
| Oh, and by "security" I'm mostly going by feel here.
| Like, if the web interface is a bit jankie I don't feel
| secure. I'm not going to look into obfuscated .js and
| pretend like I know anything about web security.
|
| [0] https://www.autenticacao.gov.pt/a-chave-movel-digital
| wkat4242 wrote:
| > While everyone took the opportunity to reply to you
| with "Not in my bank/country/to-my-awareness" This is
| what's happening in Portugal:
|
| Well yeah but that's what you get when you make overly
| broad statements like "not in the EU".
| janice1999 wrote:
| >Not in EU.
|
| Please stop spreading disinformation. I live in the EU
| and my EU bank supports desktop browsers + Card reader
| matching everything the mobile app can do.
| wkat4242 wrote:
| Spain provides smart cards to their citizens. Mobile is
| not needed.
| dzhiurgis wrote:
| My experience of using them is horrible.
| 3836293648 wrote:
| Well in Sweden we can't. You already need bankid on your
| phone to log in on your PC. There used to be a bankid
| desktop app and dedicated hardware, but that's gone from
| many sites now
| anttiharju wrote:
| > This already the case today, you can't run your bank's app
| or government eID apps on anything but Google or Apple
| devices.
|
| Fairphone 6 with e/OS begs to differ. Dutch phone with a
| French OS. No issues.
| em-bee wrote:
| well, my bank's app does not run on /e/OS. i get some kind
| of security error
| sidewndr46 wrote:
| Just wait until kids figure out you can run an emulator for an
| older desktop platform on a modern phone with ease
| b800h wrote:
| Or rather: "You will need a smartphone to use this desktop
| app".
| hopelite wrote:
| > What I would like to take from this is that, by their own
| definition, desktop apps are out of scope for Age Verification.
| So does that mean we will see a return of the 'desktop
| applications' instead of everything being a web service ?
|
| I doubt it unless something odd happens like triggering some
| reaction. They've looked at the data and see the majority of
| society using "phones", which are really just increasingly
| small computers that happen to have a feature to also make
| calls; and they've decided that this trap they're leading us
| all into can and may even need to stay open and inviting for a
| while anyways until the older people die off and desktop form
| factors kind of fall by the wayside, before the trap is even
| ready to be sprung. In the mean time they'll just gaslight and
| lie about what they're doing, to save and protect the children
| of course, until the day that you tune around from a
| distraction and the trap door is shut behind you.
|
| It's the same MO as always, with the gullible and naive
| enablers being essentially the worse threat than the actual
| perpetrators.
| cortesoft wrote:
| > This is a great example of how this whole requirement hasn't
| been properly thought out.
|
| I think this is more an example of you misunderstanding the
| desires of the people pushing for this.
|
| They want to actually ban this content, they just know that is
| a harder sell than restricting to adults. So for them, making
| it harder or impossible to access the content is a feature, not
| a bug.
| baq wrote:
| This is hardware attestation in a nutshell: a double edged sword,
| and a sharp one at that.
|
| The biggest issue is that the attestation hardware and the
| application client is the same device with the same manufacturer,
| who also happens to have a slight conflict of interest between
| monetizing customers and preserving any sort of privacy.
|
| IMHO the pro-attestation forces are so overwhelming that we
| should all cherish the moment while we have anything open left.
| qiine wrote:
| This could be a boon to all sorts of new kind of hardware
| though ( _wishful-thinking mode_ )
| brookst wrote:
| How does private access token (PAT) compromise privacy in the
| name of monetization?
| disruptiveink wrote:
| The insane question here is, why would the EU mandate hardware
| attestation controlled by two private American companies in
| order to access services?
|
| That seems completely contrary to the spirit of EU laws and
| regulations, which tend to be about protecting the consumer,
| preventing monopolies, ensuring people can generally live their
| lives where all things that are mandatory are owned and ran by
| the state and foster a certain degree of EU independence, with
| a recent focus on "digital sovereignty".
|
| This one is a five for one against all of those goals? Harms
| the customer (you could see this as the polar opposite of
| GDPR), strengthens entrenched monopolies, force citizens to be
| serfs of one of two private corporations in order to access
| information, and on top of that, like it wasn't enough,
| willingly capitulates to the US as the arbitrates of who is a
| valid person or not.
|
| This is so against the spirit of the EU itself that it would
| almost be funny if people weren't serious.
| ronsor wrote:
| > The insane question here is, why would the EU mandate
| hardware attestation controlled by two private American
| companies in order to access services?
|
| Because the EU doesn't actually care about privacy, otherwise
| they wouldn't be trying to do this and ChatControl. They care
| about being the main ones to spy on you, and maybe using
| fines as additional "taxes" on rich foreign companies. That's
| it.
| jeroenhd wrote:
| The app this discussion is about is a _reference
| implementation_ that is part of a long-term process for
| building a digital identity app. Specifically, this
| discussion is about the age verification part of the app,
| which is the first part expected to be finished but is also
| only a small part of a much wider ideal.
|
| Europe's dependence on American tech is a major pain point
| but realistically, there are only two smartphone vendors. If
| a European vendor does rise up, I'm sure whatever app comes
| out of this process will happily hook into the hardware
| attestation API for that OS as well.
|
| https://github.com/eu-digital-identity-wallet
| zb3 wrote:
| But you could do attestation on GrapheneOS, no need to
| require the users to have Google spyware preinstalled.
| Google is abusing its position here, attestation should be
| to verify the security model, not Google's business model..
| codedokode wrote:
| Attestation is fundamentally incompatible with software
| freedom.
| ulrikrasmussen wrote:
| When scoped to attest the full software stack down to the
| kernel, yes, because it takes control away from the
| general purpose computing device that the user supposedly
| owns. I don't however have a problem with attestation
| scoped to dedicated hardware security devices such as
| Yubi Keys.
| zb3 wrote:
| And if such dedicated hardware is ever required by the
| law, the manufacturer should be prohibited from bundling
| any business-related functionality there (such as
| displaying ads) that can't be turned off without breaking
| the certification.
|
| Google's ad business model should never be mandated by
| law, unfortunately lawmakers seem to be unaware that this
| is what requiring Play Integrity effectively means.
| ulrikrasmussen wrote:
| Yes, and remote attestation should be illegal on any
| general purpose computing device, for some reasonable
| definition of what that is. General purpose computing
| should be a human right, in particular the right to
| change the software running on devices that you own.
| codedokode wrote:
| This "identity wallet" is such a hostile idea, require
| identification for everything instead of thinking about how
| to remove identification (for example, allow anonymous
| banking, traveling).
| pelorat wrote:
| Wait until you find out that in some places in the EU
| it's a crime to not carry a physical ID on your person
| when you leave the house.
| IlikeKitties wrote:
| > The insane question here is, why would the EU mandate
| hardware attestation controlled by two private American
| companies in order to access services?
|
| Because this is being pushed by lobbyists to use hardware
| attestation to make it piratically mandatory for every
| citizen in the EU to be registered to either Apple or Google
| with a real id for all non-trivial online interactions at all
| times. The people behind this push neither have the technical
| knowledge nor care in the slightest that this is the
| consequence.
| ykonstant wrote:
| >piratically mandatory
|
| I am stealing this typo.
| Freak_NL wrote:
| Take any group of a hundred tech people (devs, analysts,
| architects, etc.), and 95 of them will do everything with
| their stock Android or IOS smartphone. Maybe 3 will
| consciously limit their use of that device, and the remaining
| 2 reluctantly use something sane like GrapheneOS. Those two
| might pipe up and take a stand for people without smartphones
| (which includes a very varied swath of people, from Luddites
| to people with disabilities), but they'll get drowned out by
| sighs, sheepish looks, and the chorus of 'let's just start
| with those two smartphone OSes, and if after a year or two
| people still really need something else, a new project can be
| started to address that'.
|
| It's not an insane question, it just doesn't get asked.
| fithisux wrote:
| Do you believe they care for EU? The driving forces are
| other.
| Confiks wrote:
| > The insane question here is, why would the EU mandate
| hardware attestation controlled by two private American
| companies in order to access services?
|
| Please (kindly) ask Paolo De Rosa [1], Policy Officer at the
| European Commission and driver of many of the decisions
| behind the wallet and the ARF. His position is one of
| fatalism: that it's "too late"; the duopoly of Goople is
| entrenched, and it's therefore not a problem if the wallet
| project entrenches it even further. Regrettably quite a lot
| of member states agree, although representatives of France
| and Germany specifically are frequently standing up to the
| fatalism.
|
| [1] https://github.com/paolo-de-rosa
| mzajc wrote:
| My understanding of the "double edged sword" idiom is that the
| tool has both downsides and upsides. What are the upsides to
| restricting what I can do with the hardware I paid for?
| EvanAnderson wrote:
| Revenue for the device manufacturer for licensing sales in
| their walled garden "store".
|
| Since Apple and Google are public companies I guess we should
| all buy stock and reap the financial rewards of destroying
| computing freedom. >sigh<
| nickslaughter02 wrote:
| Do you want desktop PC vendors locking down hardware to enforce
| integrity?
| pjmlp wrote:
| Want do you think Windows 11, latest macOS, ChromeOS hardware
| requirements are all about?
|
| CoPilot+ PCs even require the same security chip as XBox and
| Azure Sphere IoT board (Pluton), in addition to TPM 2.0.
|
| https://learn.microsoft.com/en-us/windows/security/hardware-...
| hhh wrote:
| Well, yeah. There's no way to curb the modern cheating
| epidemic without increasing security measures. Riot Games via
| Valorant truly pushed the industry so far ahead by reducing
| their cheating percentages so low that the cost to cheat for
| more than a few weeks at a time is thousands of dollars a
| month.
|
| It's not the sole reason, but it's a solid one.
| realusername wrote:
| They have some other secret sauce for sure, there's tons of
| cheaters on console which is a vastly more locked down
| platform compared to pc.
| realusername wrote:
| I don't want integrity on my mobile so why would I want it on
| my desktop?
| zekica wrote:
| Exactly, remote attestation is only acceptable on your own
| devices with remote attestation servers that you control.
|
| For example, it would be completely fine to implement remote
| attestation where devices issued by companies to employees
| verify their TPM values with company's servers when
| connecting via VPN.
|
| All other such activities directly infringe on ownership
| rights.
| realusername wrote:
| I don't see the value of remote attestation period.
| Especially when we talk about the mobile world which is a
| jungle where even the manufacturer itself doesn't have the
| full picture of all the code running on the device.
|
| Yeah sure it's guarantees that the device is more or less
| similar as from the factory... and then what? What am I
| supposed to do with that information?
| zekica wrote:
| It can be valuable on devices *you own* with servers *you
| own* when the devices are not physically present (or even
| if they are).
|
| You can get PCR values and decide if the device you are
| talking to is tampered with. That way, you can set a
| higher bar for hackers.
|
| This is completely different to what this topic is about,
| I'm just saying that there is a case where it can be
| useful.
| lucb1e wrote:
| Better that it's a dummy device I can stick in a corner and
| turn on when needed, than the thing I need to carry around all
| day for various purposes like finding my way around and showing
| a legal public transport ticket
| elric wrote:
| Along with chat control, it really seems like the EU is pushing a
| dystopian digital agenda.
| mono442 wrote:
| I mean, the EU is something like a modern take on Soviet Union
| so it shouldn't be suprising.
| Sharlin wrote:
| Suuure, if the USSR had been a deeply neoliberal market
| economy. Something tells me you don't know anything about
| either the EU or the USSR.
| brookst wrote:
| While I agree EU is nothing like USSR, calling it a market
| economy is kind of questionable. It's a bit of a hybrid,
| which companies allowed to market and sell on their own but
| with intense regulatory control over product design.
|
| From USBC to ad supported business models, the EU has
| fairly tight control over how products are designed and
| monetized, in a way that I don't think can be described as
| a pure market economy.
|
| Note that I'm NOT saying their level of centralized control
| and government specification of product requirements is
| bad. It's a legit trade off and there are arguments that
| some or all of it is enlightened. But it's certainly not a
| place where you just build your product and ship it and let
| the market decide.
| riffraff wrote:
| since when a market economy need to have no regulation?
|
| Market economies are contrasted with planned economies,
| i.e. how prices are determined and production allocated,
| and the EU most decidedly is not that.
| mono442 wrote:
| Well, obviously there are differences, but some
| overreaching and, I believe, unrealistic policies, such as
| the EU's climate policies, are somewhat reminiscent of the
| Soviet Union's central planning.
| miroljub wrote:
| It's time to rush to Russia, while we still can.
|
| If they accept us, of course. Not everyone is Snowden.
| k0tan32 wrote:
| Did you forget the "\s" marker?
|
| Russia is a one way step ahead here, with mandatory pre-
| installed apps, full-scale internet censorship (still
| catching up with China, though), mandatory DPI, etc.
| kome wrote:
| so a smartphone is required by law? that's fucked up
| afandian wrote:
| No! Only required if you want to participate in society.
|
| And what gets me is that it's not just 'you need a phone', it's
| 'you need a Google or Apple account'.
| vaylian wrote:
| And neither Google or Apple are EU-companies.
| lucb1e wrote:
| You don't only need the account, you need a phone that is
| locked down with hardware components and cryptographic keys
| that attest it hasn't been modified "unauthorizedly". Where
| the authority is not the device "owner" but Google, Apple,
| and the manufacturer
|
| The account would be easy enough with fake data and a 10EUR
| prepaid one-time-use phone number. Finding an exploit in
| Android such that you can turn off Google's tracking but not
| trigger their "you modified your device" scans (that are to
| be tied to your government identity verification continuing
| to work) is a game I'm not looking forward to playing.
| parasitid wrote:
| not A smartphone: an iphone OR an android verified device.
|
| not your linux phone with waydroid or fairphone with lineageos
| jonbiggums22 wrote:
| Well, only smartphones made and controlled by American
| corporations that are subject to US laws.
| jmclnx wrote:
| Lets pretend the EU would mandate Desktop Support, we all know it
| will be only applied to Windows and Apple. Maybe for Linux, BSD
| it will never be applied.
|
| In anycase we all know ways of bypassing this age verification
| will be found, probably by the kids themselves. But all this will
| do is enable US big tech, killing the very EU based companies the
| EU has been crying about for years.
|
| Meta, Twitter, Google and M/S could not have created a better law
| to protect them then this law.
| irusensei wrote:
| Kids will bypass any verification by secretly using an adult ID
| or just straight away asking them to do it.
|
| Hell the crazy things I used to do to connect to the internet
| after my mother went to sleep. She didn't wanted me using the
| internet because of phone charges so I secretly got into the
| roof to strip the phone wire bare and connect my own hidden
| cable that I would unroll and route it to my room to connect to
| my modem at night. YES part of it was to watch porn and
| download mp3s and roms. No I wasn't of legal age. Did my life
| got ruined by this? Well I'm an IT engineer now so arrive at
| your own conclusion.
|
| I think this current hysteric moral panic is definitely being
| pushed by a lobby of a nascent AI industry that wants to create
| a problem for their surveillance tech solution.
| amelius wrote:
| Something tells me the granny on the bus can verify her age by
| going to the local service desk.
| jeroenhd wrote:
| My experience with digitalisation is that the optional physical
| service desks quickly start disappearing once the younger
| generations start using digital equivalents.
|
| Card payments and digital banking have closed most bank offices
| outside the larger cities. Mail dropoff boxes are slowly dying
| out. Paper bank invoices now cost extra (an unreasonable amount
| extra).
|
| Granny may be able to verify her age, but the service desk
| won't necessarily be local.
| lucb1e wrote:
| Here's the official Dutch government solution for if your
| mobile phone doesn't have NFC, if they don't support your
| phone's OS, or if they actively went out of their way to block
| your android distribution: "go ask for another person's device
| then" https://www.digid.nl/stappenplan/id-check-toevoegen-aan-
| de-d...
| seydor wrote:
| This whole thing is good news for external hard disk
| manufacturers
| lucideer wrote:
| A lot of people outraged by this but ultimately this is good news
| - the more flagrant & public the technical incompetence of the
| people putting together these idiotic systems, the easier mass
| push back will be to foment.
| raincole wrote:
| It's not lol.
|
| The discussion has been shifted from "whether age verification
| should be a thing" to "how to implement a more convenient age
| verification system."
| bluecalm wrote:
| Is there anything in the proposal to stop people from VPN'ing to
| a free country and access their porn from there?
| riffraff wrote:
| no, like there's nothing preventing you from getting porn via
| USENET.
|
| This has always been a "best effort" initiative that is
| unlikely to stop "dedicated" users.
| frizlab wrote:
| I think they want to make age verification mandatory for
| subscribing to VPN services too.
| WithinReason wrote:
| Then you subscribe to the VPN with a VPN
| Saline9515 wrote:
| Yes, the EU will implement DPI and VPN restrictions in the
| futrue.
| alejoar wrote:
| You can't fence in the wind
| jampekka wrote:
| VPN will maybe work for porn but, as they say, "Age
| verification plays a crucial role across various scenarios,
| including access to online services, purchases of age-
| restricted products and claiming age-related benefits."
| Gazoche wrote:
| No, but once VPNs have become the only escape hatch available,
| this will be used a justification to ban them.
| lousken wrote:
| what if i were to buy a linux phone? it's not even about desktop
| support, it's about supporting iOS or android and nothing else
| which is really bad
| frizlab wrote:
| Most of what the EU does these days is (knowingly or not)
| freezing the current status quo regarding the tech world. It's
| depressing.
| alejoar wrote:
| And Europeans are either too passive, too ignorant or too
| focused on the wrong issues.
| mrtksn wrote:
| Tangentially, I would love to be able to see the age of everyone
| on the internet. IRL this gives us so much context when having an
| interaction.
| HK-NC wrote:
| Further tangent, I'm not big on digital ID and stuff overall
| but then I'll play an online game with cheaters and wonder if
| it's not the solution to things like this. Lifetime cross
| platform online game bans tied to your real life ID which you
| need to sign into this new all encompassing anticheat.
| mrtksn wrote:
| I don't think that anything should be as harsh ever but yes,
| having a reputation that goes everywhere with you is how we
| deal with problematic people in real life. That's how we stay
| civil without AI systems constantly scan us or some type of
| police constantly watching. Also, we tend to tolerate,
| forgive and eventually forget when someones behavior
| improves, so... Maybe actually having a continuous persona
| can help with the nihilistic tendencies too?
| 0xc0ff338 wrote:
| False positives aren't exactly rare. Cheaters trolled
| PunkBuster's memory scans by sending offending payloads
| matching blacklisted signatures over popular IRC channels,
| less recently they exploited an RCE vulnerability to deploy
| cheats to other players computers, mid-game. AMD released
| drivers hooking themselves into games processes, triggering
| detections. And there's a lot of less obvious problems with
| this approach.
| meindnoch wrote:
| I dream of a world, in which people are judged not by their age
| but by the content of their character.
| mrtksn wrote:
| There are other interaction modes than judging or hating. Age
| is useful for many of those, its especially useful for
| tolerance. Most cultures do have age based moral code for
| interaction which compensates both for experience(lack of)
| and decaying cognitive abilities due to age or provides
| credibility for perspective and trustworthiness.
|
| This enforced loss of fidelity is among the primary problems
| for online communications.
| chris_pie wrote:
| You're right, for example age is useful when picking
| targets for scams. It would also be great for groomers.
| mrtksn wrote:
| So? Go protect them the proper way. Do you want also to
| have all your messages scanned because you may be up to
| something illegal? Should we refrain from encryption
| because can help terrorists? That's not my cup of tea, I
| don't like proxy "protections" that are supposed to
| protect us from evil at some huge cost like loosing
| privacy or human connection.
|
| I don't subscribe to the idea that we should ban knives
| because someone can use them to stab someone.
| darkhorn wrote:
| And I hope they give their gender, ethnicity, nationality,
| religion, salary and geo coordinates.
| mrtksn wrote:
| right, because everything has to be a hyperbole. Either it
| has to be context-free or full totalitarian environment,
| right?
|
| Maybe the internet was a mistake.
| lucb1e wrote:
| I can't find which document it was specifically, but I seem to
| remember that the hackers' ethos always been that it doesn't
| matter who you are, what your title is or skin looks like, but
| that your arguments are to be valued by its merit rather than
| by who says it. Age seems like another one of these properties
| you are stuck with
| mrtksn wrote:
| I agree with that, I'm not arguing for discrediting arguments
| by age and ask for authority of the elders or something of
| that sort. Age provides context, it's helpful with
| facilitating the conversation in a healthier manner. Just the
| other day I was having an intense argument with someone on
| reddit, at some point it occurred to me that they don't
| understand because they are too young(checked the profile,
| definitely some kid trying to have an opinion on grown up
| stuff) and my words don't ring a thing in their head. Instead
| of being angry for them being too stupid to understand, I
| decided that they are not stupid or bad people but just too
| young. I was at that age some time ago and I knew how it
| feels, so left them alone. They will understand when they
| understand.
|
| This is because words actually don't carry much meaning, they
| invoke something that the other side understands already. For
| example, it's very hard to have a conversation about some
| aspects of a relation of 40 y/o people if the other party is
| in their 20s. You need to relate with something of their age
| and build it up and even then its likely they will understand
| it completely the wrong way. Over the years people evolve,
| they go over stuff and when you meet someone who hasn't been
| through the process you need to be aware of that otherwise
| you will mistake them for stupid(because, not everyone who
| ages ends up going through the transformation the same way.
| You better know if you are speaking to such a person or a
| younger person who has the chance).
|
| What I don't understand is, why people assume that everything
| you know about someone is supposed to be used against them.
| Why everything needs to be malicious?
| lucb1e wrote:
| Thanks for the elaborate and thoughtful reply! I have
| little to add to the bigger paragraphs, but about the
| question at the end: I've been wondering the same and think
| it must be an information age thing. Not in the abstract or
| the "kids these days" sense, but in that everything is
| stored somewhere and processed in invisible ways
|
| I don't remember caring that someone took a picture of me
| with their Nokia when I know that they'll at worst share it
| to a handful of people via Bluetooth or try to upload it to
| a friend's MSN channel via GPRS. It won't be uploaded to
| Facebook, facial-recognized, and stuffed into a global
| database. Or visiting websites: I operate a website and I
| know you can parse which pages I viewed straight from the
| access logs. I don't mind, you can see what paths I took
| through the website and you might learn how to make a
| better flow. But technically, drilling down to such an
| individual user level is tracking based on personal
| identifiers and so would require consent under 2018's GDPR.
| I'm happy that it now does because I don't want Google to
| track every page I visit, and ~everyone uses Google
| Analytics because then you get perks like knowing what
| search queries you are doing well on (how convenient that
| google removed referrers _for privacy_ )
|
| I don't really have a solid answer -- why do I care about
| Facebook and Google but not about John "Malicious Sysadmin"
| Doe? -- but maybe it makes sense on some level. I need to
| think about it more still
| mrtksn wrote:
| I think the problem is that the new communication methods
| are allowing for new modes of communications that we lack
| tools for dealing with malicious actors(like IRL when
| someone lies constantly, we know how to work with that
| person but we don't know how to deal with someone from
| the other side of the world who lies as a full time
| occupation preying for attention). The newer generation
| people are less and less interested with "talking to
| strangers" as the environment become too toxic and
| goal(like promoting a product or pushing an agenda)
| oriented when the internet became mainstream with the
| proliferation of 3G and iPhone/Android. IMHO There are
| not many real people out there, most people who create
| content are doing it as a job or as a side hustle and
| those who provide the platform treat people as numbers,
| probably not much different than butchers who are just
| trying to produce some meat so they don't see the animals
| as live being. Plus, there are psychos all over the place
| who are trying to harm people for entertainment.
|
| As a result, real people are having real talk in the
| safety group chats where they know the members to som
| degree, IIUC.
| Devasta wrote:
| So in order to be a part of European society I need to accept the
| terms and conditions of US companies?
|
| What happens if something goes wrong and you have to rely on
| contacting a human in Google of all places? Sorry, you have a
| copyright strike on your YouTube account, now you can't file
| taxes! Hopefully you have enough followers on Twitter than you
| can get them to pay attention.
| dvdkon wrote:
| I finally took a look at the DSA, and it only mentions anything
| relevant to age verification in three places:
|
| - Recital 71, which vaguely suggests minors' privacy and security
| should be extra-protected, but says that services shouldn't
| process extra personal data to identify them.
|
| - Article 28, which says that platforms should provide a high
| level of "privacy, safety, and security of minors", again without
| processing extra personal data to identify them. It also says
| that the Commision may "issue guidelines", but says nothing
| suggesting age verification should be implemented.
|
| - Article 35, which says that "large online platforms" should
| _maybe_ implement age verification.
|
| Furthermore, recital 57 says that the regulations for online
| platforms shouldn't apply to micro/small enterprises (which has a
| definition somewhere). All together, I don't see anything
| suggesting that anyone but the largest online services is being
| forced to implement age verification right now.
|
| Judging by various posts by the Commision I've seen online,
| they're certainly pushing for the situation to be seen this way,
| but de iure, that's currently not happening.
|
| EDIT: I found the guidelines mentioned [0], and a nice commentary
| on the age verification parts [1].
|
| [0]: https://digital-
| strategy.ec.europa.eu/en/library/commission-... [1]: https://dsa-
| observatory.eu/2025/07/31/do-the-dsa-guidelines-...
| jeroenhd wrote:
| The digital identity wallet isn't part of the DSA; it is part
| of an effort to bring identity to your phone, basically:
| https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
|
| If implemented according to plan, things like ID cards,
| drivers' licenses, diplomas, train tickets, and even payment
| control can be handled within such apps entirely digitally.
| Aside from age verification, with attribute based
| authentication you can prove digitally that you're permitted to
| drive a certain vehicle without revealing your social security
| number (equivalent).
|
| A healthy dose of cynicism would make clear that the moment
| such optional infrastructure is rolled out, new legislation can
| be drafted to "save on expenses" by enforcing this digital
| model and "protect the kids/fight the terrorists" by forcing
| age verification on more businesses.
| dvdkon wrote:
| Yes, but this isn't part of the digital wallet project. As I
| understand it, the Commision was so impatient with age-
| verification that they commissioned this project separately,
| because they didn't want to wait for the full solution, hence
| it being called a "mini-ID wallet".
|
| I'm certainly not against vigilance and making sure no new
| laws mandating the use of either this or the full digital
| wallet sneak through, but my point is that, despite the
| Commision's misleading public stance, age verification is
| (mostly) not mandatory _today_.
| jeroenhd wrote:
| That's true, but as this is only a small part of the larger
| project, it's also targeting a very specific part of
| legislation.
|
| The README for the age verification spec specifically calls
| out article 28 of the DSA and the Louvain-la-Neuve
| Declaration. Neither is aiming to be the mandated age
| verification mechanism for every single website, but rather
| a specific tool to solve a specific problem: age limits on
| social media and big tech websites.
|
| If, or, seeing Denmark's recent bullshit: when, we do get
| mandatory age requirements, it'll be part of new
| legislation that will likely take years to go into effect,
| and, seeing how long it took websites to comply with the
| GDPR, will start affecting most websites even later. This
| isn't the doomsday law that I would've expected to come
| from the US if they were to write something like this, and
| using privacy-first cryptography does give me some faint
| hope that this isn't just a big performance to hide
| malicious intent. This could've been as bad as eIDAS 2.0
| with the QACs and other unreasonable technical
| requirements.
| everdrive wrote:
| > can be handled within such apps entirely digitally.
|
| _Can_ be handled? So you could still just use traditional
| physical, paper IDs?
| codedokode wrote:
| > Aside from age verification, with attribute based
| authentication you can prove digitally that you're permitted
| to drive a certain vehicle without revealing your social
| security number (equivalent).
|
| That doesn't make sense because the government knows about
| every vehicle and its owner and his social security number
| and there is no point to hide it. I think you misunderstood
| something or I misunderstood your comment.
|
| The goal of "bringing identity to your phone" is making
| identification easier to require it in more cases so that the
| government knows better what its citizens do. One thing if
| you are required to fill a 20 fields form to buy a bicycle
| and another thing if you need just to tap your phone at the
| cash register.
| ktosobcy wrote:
| Erm... FUT?
|
| - this project is just one implementation (POC if you want) -
| they simply state the current scope of the project
|
| For anyone sane managing projects it makes sense to correctly
| allocate resources that would cover the most people.
|
| and to all those whining butthurt individuals here - reality
| check is that it's way more probable that someone has and uses a
| smartphone than a computer. go out of your tiny bubbles...
| slackfan wrote:
| Papieren Bitte, Citizen.
| afandian wrote:
| When the UK age verification legislation was being debated I
| recall people saying "don't worry about unintended consequences,
| it's not like you'll be have to show your ID to random websites!
| Someone will show up with a reasonable methodology. You'll be
| able to e.g. show your ID at a shop and get an anonymous token.".
|
| And plenty of people, including myself, thought "this is so
| dystopian it couldn't possibly happen".
|
| It did happen, and it's as bad as the doomsayers said it would
| be.
| lucb1e wrote:
| I would be curious what it's like in the UK. It would probably
| do well as an HN submission if you're up for writing a blog
| post about it. All I know is that they passed some legislation
| that requires people to authenticate for anything that could
| possibly show nudity or something, including Wikipedia, and
| that VPN apps were going wild. I don't know what it's actually
| like in daily life, how one does authenticate to Wikipedia (or
| if they bought themselves time for now by iirc suing the
| govt?), if there are privacy-friendly age verification options
| and if those options are commonly implemented by the websites
| that need it, etc.
| jampekka wrote:
| This is insane. USA is already pushing sanctions against
| Europeans via US companies (e.g. Microsoft revoking ICC
| accounts), and now they are about to tie basic functioning in the
| society to two US megacorporations. At the very least this will
| solidify the duopoly.
|
| At this point I don't find it impossible that critics or other
| "enemies" of US (or Israel) in Europe will get their phones
| bricked as sanctions, and as a result become second class
| citizens.
|
| I don't even see the necessity for having hardware attestation.
| We've had for decades online ID systems that can you can run on
| any device with an internet connection.
|
| But think of the children, right?
| zelphirkalt wrote:
| Well, in the end there may only be one thing left we can
| collectively do, but which we surely won't collectively do,
| because too many of us are way too comfortable to accept any
| discomforts: We can avoid using services implementing shit, so
| that any business that singles out desktop users or disadvantages
| them, doesn't have much of a customer base. Voting with out feet.
|
| I have very little hope, that the common user will make use of
| their own agency avoiding a dystopia, or even think about issues
| associated with their behavior. We can see this everywhere even
| today. The majority of people are clueless and just accept
| whatever bone is thrown their way. Need to buy a new phone every
| year now? OK. Pressured to accept digital surveillance by not
| even state agencies but private profit oriented companies, that
| want to sell your data or use it for nefarious purposes? OK.
| Giving all your communication data to big tech? OK. ... It is all
| just a big "auto-accept any digital rape" for most people, as
| they don't even want to think about the technical implications
| and implications for society. It's all so far above their
| technological understanding, that they just exit the bus, when it
| comes to discussing these things. That is the problem we face.
| How to make the normal person aware and interested in their own
| digital rights.
| Fizzadar wrote:
| Depressingly this feels like a long lost battle. I suspect
| internet freedoms will continue to be eroded and by the time
| most people care enough it'll be too late.
|
| My optimistic brain is hopeful for federated services to become
| the norm and stand up to this kind of crap.
| bergfest wrote:
| I fear it is already too late, thanks to the phone duopoly
| and bulletproof secure boot environments. The EU can now make
| remote attestation mandatory by law.
| bergfest wrote:
| We have to assume this is only the first step. The next step
| will be mandatory identity attestation for everything and your
| only choices will be to either accept it or not use any
| services at all.
| bonoboTP wrote:
| Unless you can show a direct cause-and-effect relationship from
| clicking OK on some form to something negative happening in
| their real life that impacts them in actual physical real life,
| a real event at a particular time that they can observe with
| their eyes that relates to their real life (family, job, social
| life, going about their day), most people won't care. Otherwise
| it all blurs to some abstract words and theoretical tinfoil-
| like worries about the "government" and ufos and sovereign
| citizens.
| crest wrote:
| These EU politicans should stay the fuck out of things they
| refuse to understand unless they want to see a real darknet take
| off.
| snerbles wrote:
| At this point I think they very well do understand. Rocky times
| are ahead, TPTB know they're at risk if things get bad enough
| for the average denizen and they want to get in as much
| leverage against future dissidents as possible.
| EE84M3i wrote:
| I think the title "EU age verification app not planning desktop
| support" is misleading because it gives the impression that there
| will be no way to support EU age verification on the desktop.
|
| This is addressed in the comments:
|
| > It should also be noted that this project is an example of a
| solution that is considered to meet certain requirements of the
| DSA, regarding the protection of minors. It does not prevent the
| use of other solutions that also meet those requirements.
|
| So I think a better title might be "EU age verification _example_
| app not planning desktop support "
|
| (don't get me wrong, I'm not a fan of how this is implemented,
| but it's important to be accurate in our critique)
| bandrami wrote:
| I think this ship has sailed; I'm in India and I literally can't
| spend money without a phone.
| lucb1e wrote:
| Does that work on a (mostly) open source OS such as GrapheneOS
| or LineageOS, or does it require a locked phone from Google or
| Apple?
| whitehexagon wrote:
| As more people move away from spyPhone devices, how is this going
| to work. Especially having BigTech being able to hold the EU
| ransom over access to basic government services.
|
| A phone should not be a requirement to partake in society, and
| I'd even argue the same for a bank account. But I see this month
| another strong push towards a digital Euro. Is that the true
| purpose behind this push for .eu ID Apps?
| Almondsetat wrote:
| This is strange, in Italy our eID system can be used from the
| desktop with a (recent) smart card reader
| rmvt wrote:
| this was the case in portugal too, although i don't know if it
| still is since gov apps have been pushed to the apple and
| google stores. edit: it should still work according to this
| https://www.autenticacao.gov.pt/cartao-cidadao/autenticacao
| tiagod wrote:
| Gov app uses the "Chave Movel Digital", which can be used in
| the browser, as well as in a variety of mobile apps. This
| _CMD_ can also be used to digitally sign documents.
|
| I believe it's still possible to use the physical card with a
| reader for many things.
|
| I think some services still don't work with the CMD.
| Recently, I had to ask for changes to my car's document, and
| it seems it's only possible with the card itself.
| (https://www.automovelonline.mj.pt/AutoOnlineProd/)
| lucb1e wrote:
| Add Belgium and Germany to the list.
|
| Notably not the Netherlands. They've got the ID card chip (as
| required internationally iirc) but I emailed them once to get
| the public key so I can verify signatures (this was like 2016,
| I was still in school) and they said it was for governmental
| use only. It's not meant to be used by commercial entities
|
| Why the EU decides to go with the bad example rather than the
| good example, I have no idea. Both ways achieve the stated goal
| of age verification and even the possible goal of universal ID
| tracking, without disallowing you to do whatever you want with
| your phone's privacy settings
| lucabs wrote:
| Bc it's a smartphone spyware
| codeptualize wrote:
| Besides the obvious issues at hand, it's kinda ironic they
| publish this on Github, EU tech independence is going great.
| jwally wrote:
| Here's my crack at a good-enough solution for the U.S. It doesn't
| have a ton of granularity - but the concept is shovel ready now,
| dirt cheap, and privacy preserving.
|
| Video Demo: https://www.youtube.com/watch?v=MmcUJ5u65Q0
|
| Actual Demo: https://app.hornpub.click
|
| How it works:
|
| 1) Go to app.horpub.click
|
| 2) Create an ephemeral passkey
|
| 3) Extract its public-key and id (this binds the credential
| you're creating to your device)
|
| 4) The user copies this data to their bank's Age-Verification-
| Section
|
| 5) The bank creates an object that it signs with an attestation
| of the user's age (KYC) and their pass-key-public-key
|
| 6) The user copies this back to app.hornpub.click
|
| 7) The passkey is verified on the server, the bank's signature is
| verified by the server, some other meta-data is verified to make
| sure nothing weird is happening.
|
| 8) The user's age has been verified by their bank without the
| bank knowing who is asking for verification
|
| * This method is more private than anything requiring sharing
| your photo-id online
|
| * This method doesn't trigger GLBA or GDPR (user copies data
| themselves)
|
| * This method is free to the merchant (hornpub)
| SomeoneOnTheWeb wrote:
| What's crazy to me is why they didn't go for that kind of
| implementation. This works well, ensures privacy, can be
| audited easily, and doesn't need a f*cking app on my phone.
| jwally wrote:
| If I work for Aylo (pornhub, etc) I'm telling every fintech
| and click-and-mortar bank who wants more customers to do this
| yesterday!
|
| "Hey third fifth of Oregon! Do you want to triple your
| customer base in Oregon for the cost of a small dev team and
| 1 month of work?!"
|
| > f*cking app on my phone
|
| I need another app on my phone like I need another hole in my
| head...
| f_devd wrote:
| If you read the guidelines they actually want to implement a
| double-blind approach with ZKPs, which imo is significantly
| better than a challenge-response pub key system in term of
| privacy.
|
| If you're not familiar this would mean the verifier doesn't
| learns anything except a statement about attributes (age,
| license, etc); and the EU doesn't learn what attributes have
| been tried to verify or by who.
| jwally wrote:
| Not asking to troll or be a jerk. Promise.
|
| What would need to happen in the United States to implement
| a reliable ZKP age verification system - and how long would
| it take to roll it out?
|
| Asking because it feels like the Titanic has sunk, and
| we're eschewing a floating door because the coast guard has
| regulation conformant life rafts that would work better.
| f_devd wrote:
| > United States to implement a _reliable_ ZKP age
| verification system (my emphesis)
|
| Realistically at least 3-4 years, assuming they want to
| keep the same goals as eIDAS. I think the (software)
| implementation will be the least costly part, time-wise;
| but it takes a long time before everyone adopts a new
| social system. Especially in the US where there has been
| no precedent for digital identification. Even with full
| control of your own ID & and solid implementation
| details, there will be push-back just for suggesting that
| people/companies should adopt it.
| zb3 wrote:
| But the bank and the horn content provider could collude and
| that would let the bank know that you're watching horn (shame,
| shame!).
|
| The ZKP approach aims to prevent this attack method.
| jwally wrote:
| Chase.com currently is using:
|
| mPulse
|
| Google Marketing Platform Meta
|
| LinkedIn Ads
|
| Trade Desk
|
| Aggregate Knowledge (Trans Union)
|
| Adobe Audience Manger
|
| Can you elaborate on how the risk of ironbank and hornpub
| colluding by de-anonymizing you via rainbow tables or IP
| forensics is substantially greater than Chase and PornHub
| using - Google Marketing?
| zb3 wrote:
| It isn't, but due to bureaucracy, when designing a
| solution, it's that solution that has to be "secure"
| without really considering that the current outside
| situation is already insecure..
|
| Anyway I'm not advocating for this solution, just
| addressing the question directly.
| jwally wrote:
| Thanks for the feedback.
|
| I don't see this as the end all ultimate solution for age
| verification. I see it more as a tourniquet; imperfect -
| but better than bleeding to death.
| tzs wrote:
| What happens if some party is able to get logs of the bank's
| age attestation signings and of hornpub.click's steps #2 and
| #6? It appears this would present some risk of matching up
| hornpub.click accounts with real IDs.
|
| This is called "linkability" and ideally should be avoided so
| anonymous age verification can be safe.
| jwally wrote:
| Banks and most sites requiring age verification are
| _littered_ with tracking software that does _literally_ this.
|
| Further, if you put on an adblocker and I get access to the
| logs at ironbank and hornpub; I could just query them for
| your IP address.
|
| Collusion to this degree is possible, but doesn't seem worth
| worrying about if the aforementioned attack vectors still
| exist. My $0.02.
| codeptualize wrote:
| Seeing this kinda stuff makes me want to keep my physical license
| and ID. No need for digital ones, I'm good with the cards.
| emigre wrote:
| This post is misleading.
|
| The project is just an example.
|
| It does not mean there will not be support for other ways of
| verification.
| Maxious wrote:
| Arguing with some random developer contracted by European
| Commission to make example code for mobile devices is not a
| political solution
| emigre wrote:
| Exactly
| ulrikrasmussen wrote:
| It also doesn't mean that there will, and it is a strong
| indication that there won't.
| slackfan wrote:
| Looking forward to this becoming the norm in the US at some point
| around the time I retire from the tech sector to go farm. I will
| take a nice boat ride into the ocean and throw my phone into a
| particulary deep spot.
|
| I said what I said, do not @ me.
| fvdessen wrote:
| It seems very reasonable to me for a first version of a system to
| only support the most popular platforms. Especially since this is
| open source, nothing stops enthusiasts to port the mechanisms to
| more niche platforms later.
| mzajc wrote:
| > Especially since this is open source, nothing stops
| enthusiasts to port the mechanisms to more niche platforms
| later.
|
| Not even hardware attestation?
| bradley13 wrote:
| "This makes the web unusable for anyone who wants to browse the
| web privately."
|
| This is not an accident. This is intent. Look at the arrests for
| social media posts in the UK and Germany.
| bonoboTP wrote:
| And Hungary
|
| https://www.euronews.com/my-europe/2020/05/14/hungary-critic...
| throw7 wrote:
| Looks like the 'number of the beast' isn't a number; It's a
| smartphone from Google or Apple. Who knew?
| f_devd wrote:
| I've posted this as a response but I'll post it again since it
| seems like a lot of people are confused about the project:
|
| This project is not THE digital wallet, it is an early prototype
| of the wallet (which can be criticized for what it is, but the
| issue is somewhat orthogonal).
|
| The actual infrastructure is not based on attenstation, if you
| read the guidelines (or the readme) they actually want to
| implement a double-blind approach with ZKPs, which imo is
| significantly better than a challenge-response pub key system in
| term of privacy as some suggested. And allows for cross-platform
| (and in theory hardware) support.
|
| If you're not familiar this would mean the verifier doesn't learn
| anything except a statement about attributes (age, license, etc);
| and the EU doesn't learn what attributes have been tried to
| verify or by who.
| NooneAtAll3 wrote:
| > This project is not THE digital wallet, it is the wallet
|
| ...what?
| maxfurman wrote:
| GP has edited the comment to make more sense
| vaylian wrote:
| Thanks for chiming in! Is there some documentation on the Zero-
| Knowledge-Proof, that this app is supposed to use?
| f_devd wrote:
| I don't know the specific ZKP variant if that's what you
| mean, but the general architecture of the system is best
| described in the 38C3 talk from earlier this year:
| https://www.youtube.com/watch?v=PKtklN8mOo0
|
| There are some choices that are debatable (more on the issuer
| side iirc), but imho for the goals it has it's a competently
| made architecture.
| MatteoFrigo wrote:
| See https://github.com/google/longfellow-zk
| Confiks wrote:
| > a lot of people are confused about the project
|
| This is misleading. They are merely _exploring_ options that
| may allow for issuer unlinkability, but they are actually
| implementing a linkable solution based on standard cryptography
| that allows issuers (member state governments) to collude with
| any verifier (a website requiring age verification) to de-
| anonymize users. The solution is linkable because both the
| issuer and the verifier see the same identifiers (the SD-JWT
| and its signature).
|
| The project is supposed to prove that age verification is
| viable so that the Commission can use it as a success story,
| while it completely disregards privacy by design principles in
| its implementation. That the project intends to perhaps at some
| point implement privacy enhancing technologies doesn't make it
| any better. Nothing is more permanent than a temporary
| solution.
|
| It will also be trivial to circumvent [1], potentially leading
| to a cycle of obfuscation and weakening of privacy features
| that are present in the current issuer linkable design.
|
| [1] https://news.ycombinator.com/item?id=44458323
| f_devd wrote:
| > This is misleading. They are merely exploring options that
| may allow for issuer unlinkability, but they are actually
| implementing a linkable solution based on standard ECDSA..
|
| The repository we're commenting on has the following in the
| spec[0]: "A next version of the Technical Specifications for
| Age Verification Solutions will include as an experimental
| feature the Zero-Knowledge Proof (ZKP)". So given that the
| current spec is not in use, this seems incorrect.
|
| > It will also be trivial to circumvent
|
| If you have a key with the attribute of course you can
| 'bypass' it, I don't think that's bug. The statement required
| should be scaled to the application it's used for; this is
| "over-asking" is considered in the law[1].
|
| > The project is supposed to prove that age verification is
| viable, while it completely disregards privacy by design
| principles in its implementation. That the project intends to
| perhaps at some point implement privacy enhancing
| technologies doesn't make it any better.
|
| I agree that in it's current state it is effectively unusable
| due to the ZKPs being omitted.
|
| [0]: https://github.com/eu-digital-identity-wallet/av-doc-
| technic... [1]:
| https://youtu.be/PKtklN8mOo0?si=bbqtzMhIK7cFLh6S&t=375
| Confiks wrote:
| > So given that the current spec is not in use, this seems
| incorrect.
|
| No, that's not what they mean. They just mean that the spec
| (and for now only the spec, not the implementation) will be
| amended with an experimental feature, while the
| implementation will not (yet).
|
| I understand (?) that you are interpreting this as: "we'll
| later document something that we've already implemented",
| but this is not the case. That isn't how this project
| operates, and I'm intimately familiar with the codebase so
| I'm completely certain they haven't implemented this at
| all. There is no beginning or even a stub for this feature
| to land, which is problematic, as an unlinkable signature
| scheme isn't just a drop-in replacement, but requires
| careful design. Hence privacy by design.
|
| > If you have a key with the attribute of course you can
| 'bypass' it, I don't think that's bug.
|
| Anyone of age can make an anonymous age attribute faucet
| [1] for anyone to use. That it's not technically a bug
| doesn't make it any less trivial to circumvent. I wouldn't
| expect the public or even the Commission to make such a
| distinction. They'll clamor that the solution is broken and
| that it must be fixed, and at that point I expect the
| obfuscation and weakening of privacy features to start.
|
| So as we already know that the solution will be trivial to
| circumvent, it shouldn't be released without at least very
| clearly and publicly announcing it's limitations. Only if
| such expectations are correctly set, we have a chance not
| to end up in a cycle where the open source and privacy
| story will be abandoned in the name of security.
|
| [1] Because of the linkable signature scheme in principle
| misuse can be detected by issuers, but this would be in
| direct contradiction with their privacy claims (namely that
| the issuer pinky promises not to record any issued
| credentials or signatures).
| f_devd wrote:
| > Anyone of age can make an anonymous age attribute
| faucet [1] for anyone to use. That it's not technically a
| bug doesn't make it any less trivial to circumvent. I
| wouldn't expect the public or even the Commission to make
| such a distinction. They'll clamor that the solution is
| broken and that it must be fixed, and at that point I
| expect the obfuscation and weakening of privacy features
| to start.
|
| I can see this argument, but it has a few caveats:
|
| - The 'faucet', providing infinite key material in an
| open proxy is also very vulnerable
|
| - If the only attribute is age verification then
| uniqueness is not required; i.e. you can borrow the key
| of someone you trust and that should be fine.
|
| - The unlinkability is a requirement from the law itself,
| i.e. the current implementation cannot be executed upon
| assuming rule of law holds
| skybrian wrote:
| They point out that some other service could do it:
|
| > It should also be noted that this project is an example of a
| solution that is considered to meet certain requirements of the
| DSA, regarding the protection of minors. It does not prevent the
| use of other solutions that also meet those requirements.
|
| Is anyone building that service?
| lucb1e wrote:
| The EU is paying for this one but not other ones apparently.
| Strange. It's almost as though they're paying to build what
| they plan to use rather than making an example for the heck of
| it
| harrisoned wrote:
| > At present the project is focused on mobile platforms,
| specifically Android and iOS, as they cover the vast majority of
| users and real-world use cases. (..) Desktop support is not
| currently within the project's scope.
|
| This is the equivalent of a "Do you guys not have phones??"[1]
| but on a way larger scale.
|
| At least where i live i am able to use the bare minimum of
| phones, even working with tech. The friction is increasing
| though, which worries me a lot, and day after day there is a new
| attempt to shove it down your throat if you want to be considered
| a member of society. Seeing that a lot of countries (including
| mine) are pushing for age verification, and the whole thing about
| Android blocking 'sideload', by the end of 2026 you won't be
| considered a human being without a government certified
| smartphone.
|
| [1]: https://www.youtube.com/watch?v=ly10r6m_-n8
| kulahan wrote:
| I do find it interesting that in an attempt to bring more
| people into modern society (via ability to access everything
| from an inexpensive smartphone), we're creating a
| stratification in society.
|
| My brother hates tech more than me, and only has an old flip
| phone. I'm always surprised by the random problems he runs into
| as a result. Unresponsive desktop sites that beg you to
| download apps are the worst.
| krzyk wrote:
| This is good I think because lack of verifications anywhere is
| good. So at least desktops will be free of it.
| simjnd wrote:
| Worse: You just won't be able to use websites on desktop
| unless you pull out your phone and verify.
| mindslight wrote:
| But this will at least create a healthy pressure for
| competing options for users on desktops, likely based on
| novel secure protocols.
| avra wrote:
| Most of the times the user prioritizes more convenient
| options over privacy. "Pressure for competing options"
| will mean that options compete for the most convenient
| way, not most secure or most private.
| mindslight wrote:
| Sure, but the point is that the more convenient less-
| secure ways are going to be criminalized. Otherwise
| nobody would use the age verification app in the first
| place.
| BeFlatXIII wrote:
| I hope the push for verification leads to the normies
| learning the ways of identity theft. The fun really ramps
| up once they figure out free money tricks.
| bonoboTP wrote:
| Another recent news about mandated app use: Ryanair now (from
| November) requires using their app for the boarding pass, no
| more printouts from the desktop. Also, they refuse to show the
| QR code for the boarding pass in a mobile browser via the
| website, you _must_ use their app.
|
| https://www.msn.com/en-ie/travel/news/ryanair-s-new-check-in...
| llimos wrote:
| Big difference between a private company mandating app use,
| and a government
| bonoboTP wrote:
| I disagree. It's a tandem, and corporations and the
| government are increasingly welded together.
|
| Also, I'm not too worried about the airport usecase as
| we're already being tracked and surveilled and inspected
| there as much as possible.
|
| But it's another step to normalize and mandate phone and
| app use. The puzzle pieces are falling in place. Soon, AI
| could screen-capture your phone screen to detect suspicious
| activity, and track every tap you do, also taking pictures
| with the front-facing camera without you knowing, listening
| on the mic, etc. etc., connecting it all to your real
| identity. Because why not? If it's done step by step,
| nobody will care at all. Maybe that sounds pessimistic, but
| it looks like the end game and I see no principled
| political stance against it, nor any insurmountable
| technical hurdles.
| card_zero wrote:
| > increasingly welded together
|
| That's an insinuation with some vague truth to it, but
| not much. Budget airlines are not government departments,
| and competition between them isn't phony.
|
| "The sky is blue" "I feel that it is increasingly yellow"
| bonoboTP wrote:
| There's little competition pressure because consumers
| don't care. I guess the standard theory says that the
| buck ends there. If people are fine with it, it's fine.
| card_zero wrote:
| Now you're talking! People suck, it's their fault.
| bonoboTP wrote:
| We'd do well with taking an honest stock of what allowed
| the formation of democracies and civil liberties, because
| likely it wasn't that average people longed for it so
| much that it happened. It's out of my weight class to
| pitch a grand narrative for this, but we've seen many
| forms of societies and governances and the current one
| (or from 20 years ago) won't be the last.
| johnnyanmac wrote:
| There have been very few policies truly passed because
| "everyone wanted it". It always starts with some
| "radical" minority bringing the idea to light and then
| campaigning for it. Even if the thing is obvious.
|
| The former happening would make so many things easier.
| XorNot wrote:
| You are arguing there's little competition pressure
| between budget airlines, a business with notoriously
| razor thin margins which people shop almost exclusively
| on price to the exclusion of all other parameters?
|
| This isn't a serious argument.
| bonoboTP wrote:
| Only price pressure. No measurable number of consumers
| will choose a different airline due to their boarding
| pass app policy.
| horsawlarway wrote:
| Functionally, I'm not sure I agree.
|
| Ex - we already have plenty of cases where the government
| outsources payment processing to 3rd parties. What happens
| when that private 3rd party declares it's not accepting
| payments through anything except a mobile app?
| oblio wrote:
| What about Google Wallet? Or just a PDF from your email?
| bonoboTP wrote:
| To me, that's getting bogged down in details. What matters
| is the intent and direction. Maybe you will have some
| workarounds for some time. But just as more and more places
| go cashless, it will also be paperless and mandatory app-
| based.
| alexchamberlain wrote:
| But what if my battery runs out?
| bonoboTP wrote:
| They are verbose and vague about it: "Some passengers may
| be concerned about what they can do if they lose their
| phone or of their devices run out of battery before the
| pass board the aircraft. Ryanair has said they will assist
| people experiencing difficulties free of charge at the gate
| gathering their information and flight details which will
| be cross-checked and validated against the flight manifest
| so that they can board as normal."
| jacobgkau wrote:
| Of course-- there will be accommodations to start out
| with. Then, after the new system has become "just the way
| things work," the accommodations will be removed for
| security or efficiency or some other reason.
|
| Or maybe not. I've never lost a boarding pass, but if you
| lose one, you can get it re-issued somewhere, right?
| bonoboTP wrote:
| Without endorsement of the behavior, here's a guy getting
| arrested for being argumentative about not having a
| boarding pass in the app, and being told he can't pay
| their 5 dollar boarding pass print fee with cash.
|
| https://www.youtube.com/watch?v=0QwwPmHyuEA
|
| Again, being argumentative like this never helps, but it
| will be you either go along with it, get escorted out or
| not fly in the first place.
| bonoboTP wrote:
| The likely future is where you'll be given a USB-C
| charger to charge your phone. If you have no phone or is
| broken, it will be the equivalent to having a strongly
| damaged passport. No fly that day, get a new phone, fly
| on another date, just like if you needed a new passport.
| The phone will be your ID, passport, credit card and
| everything. But since it will be all backed up in
| Google/Apple/Microsoft cloud, maybe you'll be able to buy
| a new simple phone near the gate, log in via fingerprint
| and facial recognition and go on your merry way. But
| also, once all this stuff is connected up in the cloud,
| maybe facial and fingerprint recognition will be enough
| to fly. NFC chips under the skin are probably too bad
| optics for the near future, but in one or two
| generations, attitudes will shift.
|
| > I've never lost a boarding pass, but if you lose one,
| you can get it re-issued somewhere, right?
|
| Yes, typically there's a fee for getting it printed at
| the check-in counter.
| EvanAnderson wrote:
| Ticketmaster and their stupid app is another good example. As
| if I couldn't hate Ticketmaster any more I recently bought
| some tickets and learned about this idiocy.
| SketchySeaBeast wrote:
| I throw the tickets into my (digital) wallet and then don't
| think about the app until the next time I need to buy
| tickets. But that's not helpful if you don't have a phone.
| EvanAnderson wrote:
| I used to print paper tickets so I could get into a show
| if my phone died / got broken / etc. That doesn't happen
| often, to be sure, but I also don't want phone bullshit
| to keep me out of a show that, in the case of this recent
| one, I have >$500 in tickets for. One less dependency is
| a good thing.
|
| More to the point, the app isn't for my convenience. It
| doesn't do anything to make my experience better.
| smcg wrote:
| And most wallet apps don't work if you install your own
| phone OS.
| wkat4242 wrote:
| A BIG reason these companies like Ryanair want you to use
| their app its that it's much easier to collect data about you
| than through a website :(
| XorNot wrote:
| No, it's a cost cutting measure. App-only reduces support
| and development costs with whoever they're outsourcing this
| too.
|
| There's a line item which basically said "mobile web" and
| they wanted it gone to save some number of dollars per
| year.
| bonoboTP wrote:
| No, sending a pdf by email is no extra cost. They already
| have an email output interface for tickets and recipts
| and confirmations.
|
| It's all about better tracking. I'm not quite sure what
| additional info they get exactly, but tons and tons of
| mobile websites (that work and don't get deleted) are
| close to unusable due to a barrage of popups telling you
| to use the app (e.g. Reddit and other socials).
|
| Also there is no indication they will stop the mobile web
| version. Already today the mobile web version is there
| but it explicitly refuses to show the boarding pass QR
| code: https://i.redd.it/lj3wdnfp9mq91.jpg
| XorNot wrote:
| As an SRE I can assure you that "sending a PDF by email"
| is far from free to support, and anything email is pretty
| much top of the list to eliminate.
| wkat4242 wrote:
| It doesn't need to be by email. They can simply show it
| in the mobile website.
|
| But they refuse to do so in order to get all that data
| which they can sell. In a mobile app it's way harder to
| run ad blockers and much easier to sneakily collect
| information on the user. Especially on android which is
| by far the biggest OS in the countries where Ryanair
| operates.
| sally_glance wrote:
| We (software agency) recently encountered this line of
| argument for the first time here in Germany.
|
| It definitely reduces costs to swap 3 platform support to
| 2, but it still came as a kind of surprise to me. They
| (customer) poured years and seven digit figures into the
| web-based version which is now effectively going to be
| trashed. The current prod metrics are not supporting the
| 90% mobile thesis... I guess they just have high
| confidence that it will become true soon.
|
| I'm wondering if these are the first signs of an age-
| based bias I have and the next generation just can't
| really imagine a majority of users using desktop PCs.
| johnnyanmac wrote:
| Ther's a line between "we don't support this platform"
| and actively making it hostile to try and use a platform.
| It may have even taken extra development time to make
| sure they can reject showing the QR code on a webpage, if
| their app is just serving that same web page.
| WaitWaitWha wrote:
| This has been the same for most low cost airlines (e.g.,
| Frontier, Spirit). To get a boarding pass _without a mobile_
| , customer must go to the counter, pay an additional fee and
| get the printed version.
| gclawes wrote:
| Tin foil hat time: this is why Google is pushing to kill app
| sideloading.
|
| Mobile phones are the only platform at the moment that can
| reasonably be used to enforce mandatory software installs and
| remote attestation. Removing sideloading can down the road
| leading to Google (or Apple for IOS) forcing all app store
| provided apps/browsers to support government authentication APIs
| like this.
| irusensei wrote:
| Google is gung-ho on embracing every kind of identification law
| because it aligns with their business model. They sell ads
| therefore it is important that humans are authenticated. Other
| social media companies like X have similar incentives.
| jeffrallen wrote:
| I looked into the Swiss version of this, which is documented
| here: https://swiyu-admin-ch.github.io/
|
| They faced the same question. Here is their answer:
| https://github.com/orgs/swiyu-admin-ch/discussions/20
|
| The tldr is that they have a legal requirement to bind
| "verifiable credential shares" with the same human who got the
| e-ID originally, up to the current best practical technology. On
| Android, they judge that to be "keep the private key in the HSM
| and require a local biometric (or PIN) unlock to use it". This is
| why they argue that proving your age will not be possible without
| a mobile device.
|
| You can prove your age anonymously, for anonymous account, which
| can be used on a non-mobile device. It's just that the proving
| the age part must happen from a mobile device.
|
| A propos of more or less nothing: in the Swiss context, websites
| requesting the proof will be required to request the least
| information necessary for their need. They must NOT ask for your
| name, ID number, or birthdate if the question they are trying to
| answer is, "is this person old enough for our service?"
|
| This is excellent technology, and the Swiss law on it that we are
| voting for next weekend is an excellent law, so I urge a
| OUI/JA/SI vote on it, if you're a Swiss citizen.
| fh973 wrote:
| Donald, is it you?
| lucb1e wrote:
| > The tldr is that they have a legal requirement to bind
| "verifiable credential shares" with the same human who got the
| e-ID
|
| Glancing at the thread, I don't see that conclusion. User
| 'sideeffect42' cites some laws and says
|
| >> As I read this it nowhere says that the e-ID has to be bound
| to a device. It only speaks about binding it to its owner which
| (IANAL) could be implemented by password protection (like
| KeePass) as well, since only the owner knows the password.
|
| Nobody seems to have replied to that
|
| Alternatively, the software could just scan your ID card's chip
| when you need it, or whatever it is that it does for first-
| time-use verification anyway. It needs not require your phone
| is locked down, locking you out of any control over tracking,
| installed apps, or reading the phone's storage and network
| traffic to merely see what it tracks about you. The phone can
| simply act as an NFC reader so that your ID can sign a
| challenge with an "over 18" flag included within the signed
| data
|
| And that's if you want ubiquitous age verification in the first
| place. I find that u/raincole made a good point here that
| outlandish implementations have successfully shifted the
| discussion away from the aspect of whether ID-based checks must
| be widely performed:
| https://news.ycombinator.com/item?id=45361883
|
| > so I urge [to vote a certain way], if you're a Swiss citizen
|
| Is this post genuinely trying to add something to the thread,
| or a way to promote your agenda?
| renewiltord wrote:
| EU gonna EU. You should be thankful. If they made a desktop app
| answering the cookie banner would rival applying for citizenship
| in complexity.
| oblio wrote:
| You do know that all those sudden repairability and longer OS
| updates Samsung and Apple keep touting worldwide are due to EU
| regulations, right?
|
| Easy battery and screen replacements, USB C on iPhones, 7 years
| of US updates, etc, all due to the EU.
| renewiltord wrote:
| Yeah, all sorts of pointless crap. 7 years of updates, that's
| the iPhone X? Yeah I couldn't care less. USB-C? Don't care. I
| use wireless charging. If we could lose all of that in
| exchange for losing cookie banners I would take it in a
| heartbeat.
|
| In another couple of decades the EU will be an irrelevant
| market as their population becomes even poorer. Then we can
| finally be free of their nonsense. The only risk is that the
| Eastern European countries become more prosperous than the
| Western European ones and prop up their influence.
| graemep wrote:
| Only available on Android and ios, only installable from Google
| and Apple App stores (in practice now, but completely when Google
| tightens control). So much for digital sovereignty.
| Geee wrote:
| The much bigger issue is that it's the first time when you're
| required by law to install government software on your devices.
| It's breaching your private space and it's immoral and wrong.
| Private spaces, including digital, should be protected from
| government by constitutional law.
| lucb1e wrote:
| > the first time you're required by law to install government
| software on your devices
|
| If it were only that. We could sandbox it, deny it permissions
| it doesn't need, or inspect what it does. All fine and dandy.
|
| No, it's the first time a democratic government requires you to
| carry a 5G video recorder that you can't turn off short of
| smashing it to pieces if the manufacturer is ordered to make it
| so. But then you can't do half the things a normal person can
| do so you won't smash it to pieces if you don't have evidence
| it's currently acting as a bug.
|
| The EU software tries to detect when you put it in a sandbox or
| when you merely try to inspect what it's doing. Attach a
| debugger and it'll refuse to verify your age to social media so
| you can't use that anymore. Install an open source OS on your
| phone and you can't so much as legally obtain your own
| government's software in the first place.
| rnaarten wrote:
| It's more then reliance on smartphones, it is reliance on people
| having a Google or apple account to actually download the app.
|
| That's a large factor worse. The digital identity wallet has as
| one of its spear points privacy, but it forces you to have that
| big tech privacy slaying account.
|
| It's a privacy tying sale.
| emigre wrote:
| I think that the European Digital Identity project should not be
| hosting its source code and content related to European
| standards, guidelines, and initiatives on GitHub, a closed source
| product owned by Microsoft.
| pennaMan wrote:
| Why stop there? Go all in: they should not run their open
| source totalitarian digital control nightmare codebase on
| closed source hardware, because that's the real issue!
| emigre wrote:
| If Dr. Evil created a death ray machine to destroy all life
| on Earth, I would be there to say "oh it is based on an open
| standard, how nice".
| emigre wrote:
| If nonprofits like the FSF or communities like the Debian
| project are able to store their code, why is an organisation
| with the magnitude of the European Comission unable to do it.
| irusensei wrote:
| Quick! Save the EU from Microsoft by cloning it to your hard
| drive so the code can be safe and sound.
|
| Nah seriously this doesn't really apply to Git.
| rwyinuse wrote:
| I wonder how this aligns with EU's accessibility act. Covering
| "the vast majority of users and real-world use cases" isn't
| really enough based on EU's own regulation.
| kkfx wrote:
| What a sovereign tech indeed, considered that both Android and
| iOS are USA flagship mobile OSes...
|
| Beside that, as long as people do not realize that Desktops are
| for personal ownership and personal production while mobile are
| only for surveillance and consumption all digitization efforts
| will push those who knows toward something else, cryptos instead
| of legal tender money, self-hosted stuff and so on.
|
| As a result at a given point in time population will be split in
| two main cohort: those who knows vs all the rest.
| qwerty456127 wrote:
| EU is just rushing into bullshit dystopia scifi with its useless
| and harmful anonymization and chat control ideas. These just
| ought to fail and be rolled back. Imagining these succeed seems
| nearly as wild as waking up in the world where people do yakuza-
| style thumb cut to every naughty kid who fails to do his
| homework.
| emigre wrote:
| Denmark has a digital ID service for its citizens called MitID
| which includes a 2FA system that can involve a smartphone app,
| but not necessarily. Citizens can request a code display device
| if they prefer not to use an app. There are also audio code
| readers for people with impaired vision.
|
| The system works really well and it's very convenient.
| stronglikedan wrote:
| surface tablet sales soar!
| jacquesm wrote:
| I guess I'll pass then.
| tempesttea wrote:
| Smart move, no sense making an app to tell you all us desktop
| users are old.
___________________________________________________________________
(page generated 2025-09-24 23:01 UTC)