EU age verification app to ban any Android system not licensed by Google
113 comments
·July 27, 2025WarOnPrivacy
userbinator
"Device security checks" is the most horrifying aspect as it basically means "officially sanctioned hardware and software", and leads straight into the dystopia that Stallman warned us about in Right to Read.
There is some amusing irony in the EU relying on the US for furthering its own authoritarianism. It's unfortunate that freedom (in the classic rebellious, American sense) never became that popular in the EU, or for that matter, the UK.
rightbyte
> As a resident of the aforementioned political climate, I find their concerns to be reasonable.
No. The lesson is that stuff like this is concerning what ever the "political climate".
Anyway, you mainly don't want the gov in your vicinity to snoop. Non-local OS:es is probably advantageous in that regard if you choose to run proprietary code...
johnnyanmac
>No. The lesson is that stuff like this is concerning what ever the "political climate".
We say this, but many also want to entrust all our PC games to one closed source launcher. Or have videos/TV all on one subscription service. There's definitely a spectrum of benevolent and greedy dictators people draw lines on.
dspillett
> many also want to entrust all our PC games to one closed source launcher
I think that is far more that people like the other closed source launchers less, and each launcher potentially adds it's own stream of notifications and adverts to their system so there is a cost to having multiple active even if the PC resource cost is practically undetectable.
Furthermore if comparing game launches and related issues to political climates, I'd consider all the current closed source ones to be the same in those respects. Also we are not subject to several local political climates at any one time in that way (though we are when looking at a wider scale, of course).
> Or have videos/TV all on one subscription service
While there are other issues (each service tracking you etc.) this is more due to the fact that each service charges what we used to pay (in fact more, as in some cases prices have gone up by more than general inflation) for a single service that provided the same amount of content that they cared about. This doesn't really equate to trust on political climates (except where commercial greed is considered a political matter).
A4ET8a8uTh0_v2
This is genuinely a real issue. It seems that most people cannot forsee an issue down the road unless it just happens to personally affect them after it took place ( ideally immediately after ). Valve is a good example, because while it is providing good value for the service it provides, it will not stay like that forever, but the environment it did set up will. And it will hurt once MBAs divvy up that kingdom. Just sayin'
And obviously it is not just one arena, because it seems to be one glaring issue with human beings: they do not want to see the road ahead. And the ones they do are, at best, ignored.
decremental
From the telegraph.co.uk: "Elite police unit to monitor online critics of migrants" and there are people worried about the "political climate" in the US lmao
snickerbockers
The European union never ceases to amaze me. Whatever happened to becoming less dependent on American corporations?
They flip flop on this stuff at least once a month, and the most annoying part is that they always herald everything they do as some new epoch-defining initiative only to quietly forget about it and do the opposite a few months later.
If nation states are dogs, then EU is the chihuahua: loud, proud and extremely ineffective.
wting
Because of goomba fallacy.
The EU is not a hegemonic state, but rather an economic supranational organization. France/Germany tend to be primary proponents of increased EU strategic autonomy, while Poland/Czech/Baltic states are less supportive.
Similar to recent discussions of self-hosting, it's a tradeoff of autonomy/control vs efficiency.
alephnerd
> Germany tend to be primary proponents of increased EU strategic autonomy
Germany isn't doing this as much anymore, because Germany Inc has become increasingly dependent on their investments within the US [0], especially after the triple whammy of the Biden-era IRA [1], the sanctions on Russia sparking a domestic energy crisis [2], and Chinese players outcompeting German industry in China [3].
This can be seen with Germany purchasing American weapons for Ukraine over French objections [4]
[0] - https://flow.db.com/more/macro-and-markets/us-german-trade-r...
[1] - https://www.bloomberg.com/news/articles/2022-12-14/german-go...
[2] - https://oec.world/en/blog/bavarias-dependency-on-russian-gas...
[3] - https://www.reuters.com/business/majority-german-firms-feel-...
[4] - https://www.politico.eu/article/europe-donald-trump-weapons-...
wmf
95% of Europeans are running American OSes today. Should age verification just wait 20 years for EurOS to be deployed?
alephnerd
> They flip flop on this stuff at least once a month
Because in the background it's a French vs German vs Irish vs Czech vs $insert_eu_state business interests competing with each other.
Notice how it's almost always French legislators and businesses that mention "domestic EU tech" and not Polish, Czech, Romanian, Dutch, or even German policymakers or businesses?
That's why.
National interests always end up trumping the EU in it's current form. And for a large portion of the EU, American BigTech represents the majority of FDI (tech and overall).
Japanese and Korean automotive players did the same thing with the US in the 1980s-90s in order to ensure their interests remained aligned (though the Plaza Accords did play a role)
ajsnigrutin
EU is a great chihuahua, authoritarian laws get passed, national politicians say that there's nothing they can do, but they benefit greatly from all the new posibilities of control over the internet.
I mean.. great for the politicians, not for an average european.
0x_rs
The war on the free internet is accelerating. Without real push-back to these dystopian laws and consequences for the people proposing and lobbying for them, you'll miss what will ultimately end up being a temporary anomaly of mostly unrestrained free flow of information. It's not an hypothetical scenario or something that will develop down the line, it's happening today, worldwide.
RpFLCL
I heard from a friend last night that they were unable to see posts on X about current protests in their country because those were considered "adult" content which can now only be viewed after submitting to an ID check. Not porn, video of a protest.
You're 100% right that it's happening today.
stinkbeetle
Sadly the old guard of free speech and privacy activists on the internet has long gone, drowned by a sea of unprincipled populist reactionaries - if their team decided that the content is "problematic", then they are entirely justified in censoring and punishing the speakers for daring to speak it, and entirely justified in protecting everybody else from having to suffer the horror of reading/seeing/hearing it, and it matters not whether the mechanisms are legal or ethical because the ends justify the means.
quantummagic
They always start with "think of the children", but that's just the opening salvo. The wild west days of the internet are definitely behind us. We'll be lucky if we still have private personal computing in the future, or any semblance of free speech.
akersten
If we're to regain any ground here we need to adjust the messaging wrt terms like "wild west" - that's precisely the kind of terminology that scares the average voter into thinking the government needs to do something about this whole internet thing. We need to use patriotic and inspiring language, like "free" as in "free speech for the internet," or "safe and private" etc
avidiax
For those wondering what the purpose is: https://ageverification.dev/Technical%20Specification/archit...
https://ageverification.dev/Technical%20Specification/media/...
Essentially, the core user journey is a privacy preserving "over 18" check. I suppose this prevents under 18's from accessing porn, in the same way that most blocking technologies impose an expense on everyone but fail to block tech-savvy children.
Doesn't seem like it could ever stop someone with a bittorrent client, unless you have to attest you are over 18 to even use bittorrent.
GaggiX
>but fail to block tech-savvy children.
If I were a kid, I could see myself downloading Opera GX and enabling the free VPN. It's probably not "tech-savvy" because the browser gets a lot of ad views on YouTube; it would be pretty obvious.
avidiax
Or using a torrent. Or trading a fileshare with your friends. Or finding a box in the woods. Or finding dad's "tax returns" folder. Or getting on TOR. Or finding an open directory. Or asking AI to produce something.
Basically anything other than going to a legally compliant website and trying to attach your mom's passport to the age verification app and doing the challenge.
lotsofpulp
> Or finding dad's "tax returns" folder.
I would want to sit in on this audit.
latentsea
I think social media does more damage than porn. We should just instead legislate that all social media has to shutdown and just let everyone watch porn and be done with it. Sure, you wind up with ED if you watch that stuff since you were a kid, but hey, if birth rates around the world are anything to go by, no one seems to really want to bring children into this world anymore anyway, so it's not as if that actually matters anymore.
I think I have become far too cynical.
avidiax
The one good thing (in principle) about a service like this is that social media is much more centralized, so this kind of system could put seemingly-effective age restrictions on social media. For example, no under-14's, or under-14 requires a supervising guardian and has other guardrails.
But this still wouldn't stop determined kids from VPNing to another country to make their account, and wouldn't stop peer pressure on kids from bleeding to parents to help them.
zeta0134
I keep coming back to the actual solution being to keep kids off the internet period. If you are under 18, and online without some sort of adult supervision, we have failed you. Maybe that ship has sailed with so much coursework requiring online access, but I maintain that perhaps we should declare it lost at sea and try again.
Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is *other people.* Other addictions still exist. Removing one vice without solving the underlying systemic problem merely shifts the goalposts, and everyone is up in arms about what a slippery slope that is for good reason.
EDIT: Clarity here because I phrased that badly in a hurry: I'm in disfavor of internet access being a requirement for schoolwork, but I failed to set that context initially. If parents trust their kids enough with access, once they've reached a certain point of maturity, that's fine. I'm against technological age gates and I'm against removal of bad content from the net at large. Parents should decide when their kids are ready, and guide them appropriately.
I will leave my original remarks unedited so the remaining discussion is sensible. (Sorry!)
Hizonner
> I keep coming back to the actual solution being to keep kids off the internet period.
W T F ? ? ?
> Because the practical reality here is, like, porn is the big scary word, but the actual danger to kids is other people.
Bad news, Champ. Other people also exist off of the Internet. They always have. The world is not entirely safe. And that does not mean children shouldn't get to be part of the world.
The main problem here is panicky idiocy.
cosmic_cheese
While there are absolutely issues with kids coming across things they shouldn’t, I’d argue an equally large issue is parents buying into the delusion that they can keep their children contained within a bubble of perfect innocence until adulthood.
That idea has never really been realistic short of keeping them isolated from society until 16-18 (which most would consider abuse), but it’s not even slightly possible today with how readily available information has become. It’s an inevitability that they will learn about the topics you’ve been avoiding and take on external influences you may not approve of.
Now to be clear, I’m not advocating for letting kids run wild on the internet with no guardrails, especially earlier on. Guardrails are important, but it’s even more important in my opinion to try to stay ahead of what they may encounter by talking with them about those things so when they eventually run across it, they’re not flying blind and might even seek your guidance about the incident since they know you’re not going to get angry about it. That’s much more likely to bring positive outcomes than if they ran into these things without parental support.
zeta0134
Yeah, I'm nodding in agreement here for the most part. I didn't mean to suggest crazy helicopter parenting surveillance nonsense, just ... the idea that giving young minds the whole dang net and letting them loose without any guidance or oversight is kinda dangerous. Growing up we always had an adult in the computer lab, or the library, where most computer coursework was being taught. I had "the real internet" right there, but if I actually got into trouble, someone was bound to notice, and I could always ask for help.
The point I was actually trying to make is just this: if the parent's goal is to block content, then the simplest thing to do is to be there when the child is surfing the net. That shouldn't take crazy technological measures. At some point, most parents realize their kids are mature enough to handle things and back off, but the parent should be making that call for their own kid. I don't think the government should be doing it on their behalf. If the government believes the internet is dangerous for young minds, then it should focus on the thing it can control: educational curriculum, primarily. Trying to "fix the internet" is a fool's errand.
sillysaurusx
Couldn’t disagree more. I watched my first beheading video at 13, let alone porn. I still remember it, Nick Berg. I think I turned out ok. My online freedom was largely why I became who I am.
As for other people being the danger, there’s some truth to that for women. I have a daughter, so this will be a concern. But you know, she won’t die. Everyone goes through trauma. The key here is to make sure she feels comfortable enough to talk to me and to my wife before doing anything (too) stupid.
I snuck out of my parents’ house to go see a girl when I was 16. Took my dad’s station wagon. On the way, some car tried to pass me and ended up hitting a big truck on the side. Truck was fine, I was fine, that fella was not. He ended up on the side of the road. Me and trucker just kept going. I still think about that guy a lot, because obviously the correct thing to do would have been to call 911, but I was a dumb 16yo who was out past midnight to go see a girl.
Point is, if things went a little differently, I could have been the one who crashed, or even dead. But that doesn’t mean that the girl I was going to go see was somehow a threat to me. It means I was doing something dangerous.
Again, this is easy to say as a man. The threat model for women is different. But prohibiting minors from the internet without supervision is totally absurd, and I feel bad for any parent who helicopters their kids like that.
Ultimately your kid will grow up and have their own life. Do you want to be remembered as the parent who had them under lock and key in the name of safety, or as a parent who monitored from a distance and occasionally let them do stupid things so that they could learn from it? For me, the latter is far more preferable.
zeta0134
I'm kindof horrified that your immediate response is to defend a beheading video as something a 13 year old should watch. As a normal thing. What the actual hell. Like, the rest of your argument has some good points, but you led with something guaranteed to offend.
I was not clear enough, so I will try again. If parents do not want their kids to access "bad content", whatever that means to them, then they need to supervise the access. If parents are okay with their kids accessing bad content, then that choice is theirs to make. The internet itself should not be the gatekeeper here, neither should the government, but the parents do need to actually parent. I do not believe technology should be doing the parenting. And BECAUSE I believe this is a choice the PARENT should make, I also do not believe unfettered access to the internet should be a requirement for students. As long as that is a requirement, the parents aren't in control, and we get draconian laws trying to "fix the internet."
You have wildly misinterpreted my intent, and admittedly it is because my opening sentence was poorly phrased.
heavyset_go
> Ultimately your kid will grow up and have their own life. Do you want to be remembered as the parent who had them under lock and key in the name of safety, or as a parent who monitored from a distance and occasionally let them do stupid things so that they could learn from it? For me, the latter is far more preferable.
You're trying to logically and emotionally appeal to people whose amygdala have been hijacked by a moral panic.
I agree with you, but good luck.
reactordev
Asking my EU friends, why do you let yourselves be bamboozled by the US tech companies when you’re totally capable of doing it yourselves?
Seriously. You don’t need Google. You just need a plan and a will to execute.
mosura
It is amazing. All the US companies have to do is dangle a “free” solution and the EU will go for it, and then be all surprised pikachu at the terms they agreed to.
nsksl
Where do you get from that we are capable of doing it ourselves? All EU-made software I've used was terrible, and the one that was a bit better than terrible was bought by a US company.
bee_rider
Most closed source US software is garbage too. Some stuff, like Steam, is beloved anyway. But actually the program itself is terrible and slow even on decent computers.
Struggling to think of corporate produced software that doesn’t suck. iOS Safari is ok, I guess.
meowface
Sure but "almost all tech is bad but almost all non-bad tech is American" in effect means European software is seen as bad. (And as an American who's spent a lot of time in Europe, this has been my experience, personally.)
In America the least bad stuff eventually rises to the top. In Europe it feels like it's all just one shared pit.
TrackerFF
Lack of capital. Fear of consequences.
Google rolls into town and wants to spend half a billion euro on a datacenter? Sure thing. They'll say that it'll boost the local economy while being built - by creating a couple of thousand jobs for the contractors that are going to build and maintain it, and then some onsite jobs for the next decade or two, creating a couple of hundred jobs for techs / engineers.
And as long as they keep playing ball with google, projects like that will pop up once in a while. If you're difficult, there's also a risk of the rich tech companies taking their business some other place.
With that said, I've recently noticed more voices for building our own stuff - as there's a real risk that US tech companies will simply comply if pushed enough, say, by a POTUS that's out for blood and wants to hurt certain foreign users. Ban/lock out certain users from gaining access to software, turn off their infrastructure, etc. who knows.
But, alas, there just isn't the same willingness to pour in capital on the important things. For private investors it doesn't make much sense, unless they have a bulletproof contract with domestic users willing buy their service - and using state funds isn't too popular, either.
Truth be told, any of the big tech businesses can undercut any competition, and probably build better and faster. If anything, it could be the case for tariffs - outsourcing critical infrastructure will leave you very exposed. If European countries all over the board started to abandon US tech companies, they'd cry to Trump, who in turn would probably start a trade-war.
amelius
You need a pile of money first. And that works differently in the EU.
reactordev
You have sovereignty of the EU and nations willing. Don’t say it will take money. Money is fake. You can do this.
Everyone’s ready. The only reason US is wealthy is those subscription fees and vendor lock in we have.
amelius
They will be sued by Google for illegal state aid.
johnnyanmac
how does a pile of money work in the EU?
heavyset_go
The same way it does anywhere else.
LtWorf
Investors want a realistic plan to make money, they will hardly fund anything without a clear strategy on how to make money.
snickerdoodle12
Because politicians are corrupt
alephnerd
Because national interests always end up trumping the EU in it's current form.
American companies like Google [0][1], Amazon [2][7], and Microsoft [3][4][5][6] have spent billions in FDI and hiring, thus building strong relationships with EU states like Ireland, Romania, Poland, Finland, Sweden, and others, but French and German competitors haven't (or don't exist depending on the service or SLA).
This means a significant portion of EU member states have an incentive to maintain the relationship, because the alternative means significant capital outflows. A Polish legislator doesn't have to answer to French voters, so they will incentivize the relationship. Thus, these nations will lobby tooth and nail against destroying the relationship.
It's the same reason Hungary courts Chinese FDI [8] and enhancing the Sino-Chinese relationship as leverage against the EU pushing too hard [9].
[0] - https://www.gov.pl/web/primeminister/google-invests-billions...
[1] - https://www.gov.ie/ga/an-roinn-fiontar-turas%C3%B3ireachta-a...
[2] - https://www.aboutamazon.eu/news/job-creation-and-investment/...
[3] - https://centraleuropeantimes.com/microsoft-google-invest-big...
[4] - https://www.reuters.com/technology/nordics-efficient-energy-...
[5] - https://www.idaireland.com/latest-news/press-release/an-taoi...
[6] - https://www.government.se/articles/2024/06/prime-minister-to...
[7] - https://aws.amazon.com/blogs/industries/cloud-technology-emp...
[8] - https://hungarytoday.hu/hungary-seeks-to-stay-leading-europe...
[9] - https://theloop.ecpr.eu/hungary-and-the-future-of-europe/
lossolo
It's largely a political issue. At this stage you can't create alternatives to Google and other U.S. tech giants without removing them from the market (so essentially the Chinese approach, which has allowed them to build their own massive tech giants). But that path is nearly impossible for the EU due to the risk of U.S. retaliation. The EU can't even implement a digital tax.
You also can't just say, "Here's a few hundred billion in public support to create alternatives to U.S. tech giants", because the U.S. would argue that it's unfair state aid and retaliate.
There isn't enough private capital in the EU with the risk tolerance required to take on such a challenge independently.
We also lack a reserve currency like the USD, so we can't print $2 trillion a year, much of which ultimately flows into the U.S. stock market and further boosts U.S. tech companies, making competition even harder.
EU markets are already fully penetrated by U.S. behemoths that can either withstand or acquire any privately funded competitor, thanks to their massive cash flows and valuations.
For all these reasons, the outlook isn't very promising.
nabakin
Unfortunately this isn't the first time a government has banned Android devices which are not licensed by Google. GrapheneOS has a list of them[1]
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
latentsea
Ugh. There's just no winning with tech anymore.
I use GrapheneOS as a daily driver and I absolutely love it. It should be the default. There's already one app I use that must do something similar and absolutely just won't run on it, so I have an entirely separate phone running stock Android just for that one app. Still worth the hassle.
Glad I don't live in a place where all this madness is taking root, but still, the trend itself sucks.
superkuh
The only winning move is not to play the game. One has to have a phone these days but you don't have to do your computing on it (during personal time). Use a real computer instead.
latentsea
Great advice that I just can't take.
ajsnigrutin
It's not a tech issue, it's a regulation issue.
EU wants to push more control on the internet, today it's "think of the children" but when the infrastructure is rolled out, it'll be "real name verifiction" on social media, chat control, etc.
Whoever is pushing this in EU has to be removed before things will get better.
mk89
I am not sure if I am more disturbed by the user journey they want to introduce for accessing websites or the fact that a private company (american, chinese, I don't care) has to become the gatekeeper to let me in.
Who the hell wants this Internet...?
heavyset_go
> Who the hell wants this Internet...?
Scared rich people and bureaucrats
titanomachy
Without getting into the ideological weeds too much, is there a solid technical reason for this? Like if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool? If so, is there a straightforward way to prevent this without involving Google?
Aaargh20318
> if this verification wasn’t in place, could I just alter the source code or binary to always return “yes I’m 18” (or whatever) and completely subvert the intent of this tool?
Kinda, yes.
(slightly simplifying the mechanism here)
This seems to be based on the EU Wallet project, which is still work in progress. The EU wallet is based on OpenID (oidc4vci, oidc4vp). The wallet allows for selective disclosure of attributes. These attributes are signed by a issuing party (i.e. the government of a EU country). That way a RP (relying party) can verify that the data in the claim (e.g. this user is 18+) is valid.
However, this alone is not enough, because it could be a copy of that data. You can just query a wallet for that attribute, store it and replay it to some other website. This is obviously not wanted.
So the wallet also has a mechanism to bind the credential to a specific device. When issuing a credential the wallet provides a public key plus a proof of possession of the associated private key (e.g. a signature over an issuer-provided nonce) to the issuer. The issuer then includes that public key in the signed part of the credential. When the RP verifies the credential it also asks the wallet to sign part of the response using the private key associated with that public key. This is supposed to prove that the credential was sent by the device it was issued to.
Now this is where the draconian device requirements come in: the wallet is supposed to securely store the private key associated with the credential. For example in a Secure Enclave on the device. The big flaw here is that none of this binding stuff works if you can somehow get access to the private key, e.g. on a rooted phone if the wallet doesn't use a secure enclave or with a modified wallet app that doesn't use a secure enclave to store the private key. You could ask a friend who is 18+ to request the credential, copy it to your phone and use that to log in.
snickerdoodle12
Wouldn't it make way more sense to just have the RP supply a nonce that gets signed by the IDP? Isn't this how oidc works already?
fluidcruft
I'm pretty sure all you need is the ability to login to a website and for that site to vouch for your age based on having examined your identification documents (or something like a network of PGP web-of-trust type notaries). I have a hunch that using a hardware token and biometrics is required to prevent fraud (FIDO and passkeys etc should work). The trick is preventing simulated tokens from existing/working which is where secure boot etc enter the picture.
altairprime
You would need to release a kernel and OS that requires users who modify the attestation and hardware token components of it to provide their own signing key rather than your production EU-registered one, chained back to the HSM signature emitted by the phone’s HSM signed bootloader; and then you would simply let the app check that its secure boot attestations chain to a secure bootloader/image/OS triplet that’s on file with the EU. Mix in some tech spice for the EU to prohibit OS releases that are validly signed but whose specific instance of a signature is found to be exploitable to bypass age checks and you’re set. None of this would prevent users from modding their devices, any more than macOS prevents modifications today if you turn off the security protections; but once you turn off the security protections, it can no longer attest with Apple’s signature because your modifications don’t match the signature any longer, and so Apple Wallet is inaccessible.
None of this prohibits users from modifying their bootloader, kernel, or OS image; but any such modification would invalidate the secureboot signature and thus break attestation until the user registered their own signatures with the EU.
The EU currently only transacts with Google in this regard because, as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining live in production end-user devices in the decades since Secure Boot came onto the scene. All it takes to change that is an entity who has sufficient validity to convince them that outsourcing permitted-signature verification to Google is unethical, which it is.
It’s a safe bet that Steam Linux was already working on this in order to attest that the runtime environment is unmodified for VAC and other multiplayer-cheating prevention systems in games — and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
The vendor lock-in here is that Apple and Google and, eventually, Valve, are both willing to put the weight of their business behind their claims to the EU that they do their best to protect the security of their environment from cheaters, with respect to the components required by the EU age verification app. The loophole one could drive a truck through that the EU has left open to break that lock-in in the future? Anyone can petition the EU to accept attestations from their own boot-kernel-OS chain signatures so long as they’re willing to accept the legal risks visited upon them if found to have knowingly permitted exploitation for age check bypasses, or neglected to respond in a timely and prudent manner when notified of such exploitability by researchers — and if the EU rejects their petition improperly, they’ll have to answer for that to their citizens.
Hizonner
> None of this prohibits users from modifying their bootloader, kernel, or OS image;
... unless they don't want to turn their device into a boat anchor that nothing else will talk to. It's not going to stop with age verification.
Counterproposal: fuck attestation, and fuck age verification. Individual users, not corporations, associations, or organizations, get to use any goddamned software they want any time they want for any purpose they want, and if you set up some system that can't deal with that, tough beans for you.
akersten
> that bothered to implement hardware-to-app attestation chaining live in production end-user devices
This is why it's important that initiatives like Web Environment Integrity fail. Once the tools are in place, they will always be leveraged by the State.
> and so once they publish all that, I expect we’ll find that they’ve petitioned their attested OS signature chain to the EU as satisfying age requirements for mature gaming.
I hope that Valve pays no mind to this nonsense and continues to allow art to be accessible to anyone.
altairprime
That ship sailed decades ago when Intel promoted Secure Boot as a defense against malicious modifications; it stops rootkits and it stops cheaters, what more could one ask for, etc. App attestation of this sort has been offered in certain enterprise/government Windows 10 SKUs since day one. Apple’s web attestation protocol has been live on all T2 devices for about as long as T2 has been out.
Governments have real and serious need for verifications that are backed by their force. They’re a government; they are wielding force upon citizens by doing this, knowingly and intentionally. That is a normal and widespread purpose of the State existing at all: to compel people to align with the goals of the State, whether members of the State like it or not, until such time as the State’s goals are changed by whatever means it permits or by its collapse.
If this pans out for them, as cryptographically it will but remains to be how vendors and implementations handle it at scale, then they can introduce voting from your phone — the previously-unattainable holy grail of modern democracy — precisely because it lets the government forcibly stop the cheating that device-to-app/web attestation solves. And they can do so without leaking your identity to election officials if they care to! Just visit a government booth once in a while to have your identity signature renewed (and any prior signatures issued to your identity revoked). That’s how digital wallet passports and ID cards work already today anyways, with their photo/video/NFC processes.
Western sfbay-style tech was founded on the libertarian principle that one should be able to tell the government to fuck off and deny taxation, representation, blah blah etc. in favor of one’s armed enclave that does what it feels like. It’s fine to desire that, but it’s proven too radical to be compatible with the needs of nation-states or the needs they enforce satisfactions for on behalf of their citizens. Attacking attestation won’t solve the problem of the “State”, and has led us to a point where Google can claim truthfully to a “State” that the Android forks ecosystem isn’t competent enough to be trusted, because they can’t be bother to do attestations.
avidiax
Lengthy GitHub issue about this: https://github.com/eu-digital-identity-wallet/av-app-android...
It really seems like tying this to Google violates some key principles of the EU market.
Arch-TK
It's absolutely abysmal that the EU and UK are implementing laws relating to age verification requirements.
Who voted for this? Who asked for this?
potato3732842
If you're wondering what regulatory capture looks like, this is it.
wmf
It's more likely to be laziness by the developers.
In the case of Android, genuine means:
While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won't pass on an aftermarket Android OSThe issue is being raised here: https://github.com/eu-digital-identity-wallet/av-app-android...
As a resident of the aforementioned political climate, I find their concerns to be reasonable.There are a number of comments in that same thread that indicate a mandate to utilize Google services may run afoul of EU member nations' integrity and privacy laws.