You are copy pasting a “correct” argument against eu bureaucracy in the absolute wrong space
Using smartphones with such a setup should not become required by a European government on a fundamental level.
Sufficiently detailed telemetry is indistinguishable from surveillance because even if the goal isn't to target you right now, they will still have the secondary option of going back and inspecting all that data you sent them if they ever are interested in you. Another secondary use of telemetry is selling it to someone else to squeeze out a bit more money. There's no downside to doing this, so any business that collects a lot of varied telemetry and likes making money might as well do it. And once the data is in the hands of adtech businesses, it becomes a whole lot more like tracking you personally than just collecting some data for development. In Google's case, you don't even need to hand it over to anyone else, everything stays in-house.
I heavily doubt that.
Simply put: this will never happen. Way too many devices implementations to make this a reality.
If your answer is "none", you missed the point.
Configure your phone however you want, then use your physical ID because your phone isn't supported. They're not taking it away. In the same way that you can file your taxes. Having an online filing service doesn't mean you're being "excluded" because your i386 running BeOS isn't part of the supported hardware. Send a letter. It'll still work.
If you were averse to carrots (without any health restrictions on eating them), would every government institution in Germany be required to serve you carrot-free food?
If not, why should they be forced to accommodate every smartphone brand in existence, even if there's only 3 people in Germany using it? THe list has to end somewhere.
Can't speak for Germany, but they do in the UK. It would be illegal discrimination against a belief for them not to.
UK law protects some philosophical beliefs equally to religions. (what qualifies is a bit of a mess as it's all case law)
(On a practical note, I imagine it's easier for hospitals to just serve vegan food for anyone who is vegetarian/Muslim/Jewish rather than have specific kosher/halal meals)
But to answer the question in a real way: Veganism is often regarded as just a dietary choice like any other, when in reality courts in several countries have more or less agreed to classify it as a matter of conscience, which would give adherents some right to it. Though it seems German courts have been reluctant to draw much legal consequence from it - so far at least.
So in that sense, I don't think people have been talking about digital sovereignty and abstaining from proprietary software under another country's jurisdiction much as a matter of conscience yet. We can thank Trump that it might actually become a thing though.
For it to be fair comparison, the carrots would have to be grown by a foreign company, known for using unsafe growing practices, causing contamination. Eg, poison carrots. This same company would have to be under the control of a very hostile, very actively aggressive and threatening nation.
Such as one currently threatening to annex allies, among other things.
With the US literally tapping and spying on heads of foreign states:
https://en.wikipedia.org/wiki/German_Parliamentary_Committee...
and there being lots of ways to spy, such as push notifications:
https://www.reuters.com/technology/cybersecurity/governments...
Only insane people would objectively decide to use Google or Apple anything for any form of ID. Those platforms should literally be outlawed. Any use of push notifications or identity attention should be looked at as utter fantasy.
Here's a secret for you. There really isn't any urgent requirement to have an electronic identification method. It can wait. Supporting legislation can be passed first. There are lots of ways to do so.
For example, the entire EU could pass legislation stating that all cell phones have open source code available, including all binary blobs for drivers. And that all phones are unlockable, and that (for example) the phone has a version of the rom you can download without any Google services.
(If Apple isn't able to compete here, well... too bad)
The phones would not be legal to sell, unless the open source firmware was compiled in front of regulators. The point of this is another pet-peeve of mine, it would allow people to support their own phones, for that source code would be released the day that phone was no longer supported.
And yes, it's trivial to have open source firmware blobs. There just isn't a market for it. Pass a law, and sellers of SoC and other ICs will capitulate, or maybe more punitive laws will be passed against them. As someone once said, yes companies can have a lot of sway.
But governments have police, courts, and armies.
Right now, Android and Apple devices are a literal arm of the US government's spying apparatus, even if those two companies actively work against it.
Do not trust Google Play. Do not trust Firebase. Do not trust Google. At all.
Are Germans just too trusting? I remember 15 years ago, when nuclear power plants were closing, concerns were raised about the reliance on Russian natural gas. These were waved away. Russia? What's wrong with Russia! They're almost allies, they're capitalists now!
Don't do this again.
Do NOT trust Google. Don't. Don't make it a core part of any identity management.
Imagine, needing an active Google account to even bank! Or to file your taxes, or even to prove who you are!? Google cancels accounts with no recourse, no reason why, won't help anyone, and this is to be the core of identity management for Germany?
The average person won't even be able to install any German Government designed apps, unless they are on the Play store! Are you going to teach Grandma how to use ADB to install an app? Without an active Google Account, will you even be able to use push notifications?
Why would a government even allow ID to be blocked by the requirement that a company with terrible, horrible, inane customer service, which just kills accounts without recourse, be a gatekeeper?
No Google account, no ID! Wha!?
It's literally not sane.
Germany at least seems to feel international war is only a few steps away and from how militant the Chinese and Russians have been treating their “territory” I am not sure it is a bad call.
America has likewise turned bad preferring violence over dialogue and loves tracking “hostile influences on the American way of life”. Those influences being anyone who would call out the toxic culprits making America into a cesspit.
Tying to Apple and Google? It is a terrible idea. Both are prone to freeze devices for financial or social issues.
However, a fix I would accept is to force the device makers to support multiple accounts out of box on every device to keep separate what the corporations have proven time and again they cannot be trusted to combine. Also for those companies to be forced to make a cheap credit card sized device which must be held to power on for the few that truly hate the ecosystems.
I don't understand why this is not the default to be honest, and why people are not advocating for that
What's wrong with ID cards and cash?
This is an understatement. Better phrasing would be "when it allows two unaccountable foreign companies to lock citizens out of the digital market".
There are plenty of horror stories of tech giants frivolously banning people. We shouldn't be adding state support to that. I don't want to lose access to digital banking because of some deliberately vague "community guidelines" violation, or because I got mass-reported to some "e-safety" provider that both Apple and Google outsource to.
Sibling comments see this as a good solution, just not a perfect one. I see it as making a bad problem worse.
The usual 80/20 rule applies here as well.
And if you really are a German citizen, you know how slow the wheels of government already turn in Germany, I assume next week you would be the one complaining that "Germany is so far behind" and that "other countries are so much faster at implementing stuff" :)
It is exactly the kind of alternative that European countries should embrace to become less dependent on US tech.
I am not sure if you are European, but why people are still supporting the GMS Android/iOS duopoly after the US revoked the Google accounts, Office 365 accounts, credit cards, Amazon accounts, etc. of ICC judges is beyond me. Supporting only iOS/Google GMS Android in a government app basically gives the US all the means to blackmail you and/or disrupt your digital infrastructure.
It seems there are still people working for European governments (including developers) who seem to have missed 2025 and the first few months 2026?
We are repeating the same mistakes as depending on Russian oil/gas again.
Can't buy any single fare public transport tickets online here in Stuttgart? Sure, I'll use the DeutschlandTicket NFC card. Can't view the EPA? Fine then I don't. Can't pay with Wero? Fine, I don't actually need to use shops that don't offer SEPA Vorkasse or Lastschrift (only without a dodgy "identity verification" fintech startup of course.
No one wants support for toasters and washing machines. We're talking general purpose compute hardware. TCP is also supported on all these devices. Quite frankly, it's probably easier to implement, if you are not fighting a locked-down OS like iOS.
It's a pragmatic, profit-oriented point of view, but not one that makes sense when your mission is to be inclusive of everyone.
Why device attestation is required is quite well explained by this github comment [0]. I am in the industry and I agree fully with it, because it is a fact a problem for most smart phone users in terms of security.
0 - https://github.com/eu-digital-identity-wallet/eudi-app-andro...
I'm not going to replace my 1200 EUR smartphone with a device that forces me to have an account with Apple or Google. I've been issued a German identity card, which is its own computer that includes a digital identity already. I also own an expensive card reader, which together forms a system that is completely capable of supporting any attestation anyone would need. They should just stop excluding me already.
Well, in all seriousness what examples could you give me here in terms of device hardware attestation? Even GrapheneOS does use Google root certificates to attest your device. There is indeed an option for EUDI to keep a list of keys and I bet this is probably the way they are going to go for Android in the future. We shouldn't forget this is still in the planing phase.
> to have an account with Apple or Google.
True for Google, not true for Apple. Device attestation on iOS does not require you to have an iCloud account or sign into some Apple services. It works entirely using device hardware ids.
> I also own an expensive card reader, which together forms a system that is completely capable of supporting any attestation anyone would need.
Nope. This is eID and verifies your identity, it does not attest the security of your hardware. These are two different problems we talk about here.
The reader and its firmware is already certified by the federal IT security agency BSI for use with eID and banking. Why shouldn’t I be allowed to use that for whatever digital identity wallet thing the EU is cooking up?
My Librem 5 runs an FSF-endorsed OS and has a smartcard.
> True for Google, not true for Apple. Device attestation on iOS does not require you to have an iCloud account or sign into some Apple services.
This is extremely misleading. Even if true, you must have an account in order to install any app on an iPhone.
Ok, so how does that help with device attestation? If I am an app developer how does it tell me that your OS has not been tempered with or actually that my app has not been tempered with? Are there any cryptographic keys stored in a secure place on the device that the Librem vendor can verify?
> This is extremely misleading.
But it's not. It's an architectural difference between how Google and Apple implemented attestation. Apple stores the generated keys in a secure part on your device and certifies them. The rest is your job as an app developer. And as a user, you do not have your iCloud or iTunes account used for device attestation. In contrast Google and its Play services are an integral part of the attestation workflow.
For Apple it's evident from their docs. As a side note: I do try to learn more about this, because of an incoming project concerning it.
> You can’t rely on your app’s logic to perform security checks on itself because a compromised app can falsify the results. Instead, you use the shared instance of the DCAppAttestService class in your app to create a hardware-based, cryptographic key that uses Apple servers to certify that the key belongs to a valid instance of your app. Then you use the service to cryptographically sign server requests using the certified key. Your app uses these measures to assert its legitimacy with any server requests for sensitive or premium content.
Source: https://developer.apple.com/documentation/devicecheck/establ...
This is not your business to verify and control what can run on my phone. I can do it with my smart card, which securely stores cryptographic keys.
> And as a user, you do not have your iCloud or iTunes account used for device attestation.
It does not matter. An account is necessary to make the phone usable at all. The attestation is useless on a phone that can't install apps.
Then keep using it, instead of the not-mandatory app?
> I also own an expensive card reader, which together forms a system that is completely capable of supporting any attestation anyone would need.
Sure. In the mean time, do we tell the other few dozen millions that don't have an expensive card reader to go fuck themselves, or can we get to work on a solution that, even if not ideal, makes their lives easier?
> They should just stop excluding me already.
They aren't. You said it yourself, your ID is in your pocket.
Yes of course. That is one of it’s fundamental issues.
The limited selection of attestation providers can be criticized for many other reasons, though.
Such public utilities ought to always prioritize privacy, platform-independence, and empowering market competion long- and short-term. And to achieve that you need to start at the design level.
In this case, clearly, you either have to avoid relying on app attestation or lay the foundation for an unrestricted number of independent chain of trust frameworks.
The latter, of course, is a policy-level issue, but the ones responsible for the design and development are the ones who need to pass such concerns up the chain.
If you want to be critical of the outcome on compatibility grounds, forcing a grind to increase technical compatibility is the wrong thing to ask for. That must necessarily always leave some people behind. The only honest alternative positions on that front are (a) the government issues the tech to everybody itself or (b) the government doesn't build advanced systems at all.
The German government offices rely on a lot of quaint-looking paper based processes, but they have one thing going for them: working through them can be done with pen and paper - tools that are available for cheap and broadly compatible. It's probably not such a bad thing after all?
You chose to use a non mainstream platform. Thats on you.