You are copy pasting a “correct” argument against eu bureaucracy in the absolute wrong space

Can't speak for Germany, but they do in the UK. It would be illegal discrimination against a belief for them not to.

But to answer the question in a real way: Veganism is often regarded as just a dietary choice like any other, when in reality courts in several countries have more or less agreed to classify it as a matter of conscience, which would give adherents some right to it. Though it seems German courts have been reluctant to draw much legal consequence from it - so far at least.

So in that sense, I don't think people have been talking about digital sovereignty and abstaining from proprietary software under another country's jurisdiction much as a matter of conscience yet. We can thank Trump that it might actually become a thing though.

For it to be fair comparison, the carrots would have to be grown by a foreign company, known for using unsafe growing practices, causing contamination. Eg, poison carrots. This same company would have to be under the control of a very hostile, very actively aggressive and threatening nation.

Such as one currently threatening to annex allies, among other things.

With the US literally tapping and spying on heads of foreign states:

https://en.wikipedia.org/wiki/German_Parliamentary_Committee...

and there being lots of ways to spy, such as push notifications:

https://www.reuters.com/technology/cybersecurity/governments...

Only insane people would objectively decide to use Google or Apple anything for any form of ID. Those platforms should literally be outlawed. Any use of push notifications or identity attention should be looked at as utter fantasy.

Here's a secret for you. There really isn't any urgent requirement to have an electronic identification method. It can wait. Supporting legislation can be passed first. There are lots of ways to do so.

For example, the entire EU could pass legislation stating that all cell phones have open source code available, including all binary blobs for drivers. And that all phones are unlockable, and that (for example) the phone has a version of the rom you can download without any Google services.

(If Apple isn't able to compete here, well... too bad)

The phones would not be legal to sell, unless the open source firmware was compiled in front of regulators. The point of this is another pet-peeve of mine, it would allow people to support their own phones, for that source code would be released the day that phone was no longer supported.

And yes, it's trivial to have open source firmware blobs. There just isn't a market for it. Pass a law, and sellers of SoC and other ICs will capitulate, or maybe more punitive laws will be passed against them. As someone once said, yes companies can have a lot of sway.

But governments have police, courts, and armies.

Right now, Android and Apple devices are a literal arm of the US government's spying apparatus, even if those two companies actively work against it.

Do not trust Google Play. Do not trust Firebase. Do not trust Google. At all.

Are Germans just too trusting? I remember 15 years ago, when nuclear power plants were closing, concerns were raised about the reliance on Russian natural gas. These were waved away. Russia? What's wrong with Russia! They're almost allies, they're capitalists now!

Don't do this again.

Do NOT trust Google. Don't. Don't make it a core part of any identity management.

Imagine, needing an active Google account to even bank! Or to file your taxes, or even to prove who you are!? Google cancels accounts with no recourse, no reason why, won't help anyone, and this is to be the core of identity management for Germany?

The average person won't even be able to install any German Government designed apps, unless they are on the Play store! Are you going to teach Grandma how to use ADB to install an app? Without an active Google Account, will you even be able to use push notifications?

Why would a government even allow ID to be blocked by the requirement that a company with terrible, horrible, inane customer service, which just kills accounts without recourse, be a gatekeeper?

No Google account, no ID! Wha!?

It's literally not sane.

It is exactly the kind of alternative that European countries should embrace to become less dependent on US tech.

I am not sure if you are European, but why people are still supporting the GMS Android/iOS duopoly after the US revoked the Google accounts, Office 365 accounts, credit cards, Amazon accounts, etc. of ICC judges is beyond me. Supporting only iOS/Google GMS Android in a government app basically gives the US all the means to blackmail you and/or disrupt your digital infrastructure.

It seems there are still people working for European governments (including developers) who seem to have missed 2025 and the first few months 2026?

We are repeating the same mistakes as depending on Russian oil/gas again.

Can't buy any single fare public transport tickets online here in Stuttgart? Sure, I'll use the DeutschlandTicket NFC card. Can't view the EPA? Fine then I don't. Can't pay with Wero? Fine, I don't actually need to use shops that don't offer SEPA Vorkasse or Lastschrift (only without a dodgy "identity verification" fintech startup of course.

No one wants support for toasters and washing machines. We're talking general purpose compute hardware. TCP is also supported on all these devices. Quite frankly, it's probably easier to implement, if you are not fighting a locked-down OS like iOS.

https://en.wikipedia.org/wiki/Dehomag#Holocaust

Such public utilities ought to always prioritize privacy, platform-independence, and empowering market competion long- and short-term. And to achieve that you need to start at the design level.

In this case, clearly, you either have to avoid relying on app attestation or lay the foundation for an unrestricted number of independent chain of trust frameworks.

The latter, of course, is a policy-level issue, but the ones responsible for the design and development are the ones who need to pass such concerns up the chain.

Imagine cheering for the company that will block the criminal prosecutors investigating war crimes and genocide from having the ID at all(1) once the supporter of the investigated sanctions the law-abiding persons: https://www.whitehouse.gov/presidential-actions/2025/02/impo...

But anyway - why the requirement in the first place?

(1) because sanctioned person must not be allowed to create another account.

SIM-based solutions on their way out is a non-issue. For eSIM to support that use case, political will only is needed: the EU got Apple to abandon the lightning cable, this is not any different.

Plus, the process is something like:

- we want to do $something

- hire consultants to help us define $something and produce a document

- hire other consultants to write the specs for the project

- launch an RFP

- select a winner

- wait for the implementation to finish

All the proposed solutions will be something paid, ideally made by a really large company to lend it credibility, and with maintenance costs that justify hiring dedicated people for it.

In the end no one gets what they want.

You think if there was any will wouldn’t the whole EU use whatever the Estonians are doing very well?

Instead they could have mandated the use of eIDAS 1 to all countries + extend it with attribute/credential support, and let countries choose their implementation (cards, SIM, server-side).

Instead we’re back to the drawing board with the big shortcomings highlighted in this thread.

They can be trivially rooted, then they spoof the signature and get a pass in Integrity while being wide open for malware (or cooying the ID, ID presume).

It works great. Just keep in mind that newer phones are starting to deprecate physical SIM slots. At the same time certifying eSIM implementations to the same EAL level is an absolutely crazy task.

Provided you know the secret key to a government-issued certificate. Making it impossible to copy said certificate is not really a requirement for identity verification.

Rooted, wildly insecure devices can pass the attestation easily: https://magisk.dev/modules/play-integrity-fix-inject/

Safe, updated devices cannot unless they permit Google to run their surveillance services in the privileged, unconstrained mode.

I think we need some fingerpointing that EU officials strive to avoid.

Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.

So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.

While it's dramatically worse than devices Google refuses to certify (ie these not running their spyware as privileged services).

It's hard for me to assess the effort needed here, but I guess that the GrapheneOS implementation will be 99% like the regular Android implementation. Supporting both systems does not seem to be that unrealistic.

I'm also thinking of keeping an android phone purely for auth purposes, separate from my main one. The world's most overengineered (and probably also less safe) Yubikey.

> If you read French

Let's see how far my five years of French at school will get me. I'm not getting my hopes up ;)

Kinda like the discrimination DB does for people using paper tickets vs those using the DB Navigator app.

As a separate device, it should be offline always IMO, and perhaps the size of a passkey. Or one of those banking devices with a display that show an authenticated text saying what you are confirming.

Private smartphones are excluded already.