So Italy's IO app https://github.com/pagopa/io-app (wallet, documents, age verification) continuously refuses the users' request for GrapheneOS support and requires google.
Nothing will change until the lawsuits start coming in.
The only hope is the motorola/grapheneOS collaboration and consumer associations, that might sue for anticompetitive behavior.
Make noise on any channel for the apps that require play services, it will help in the future if the lawsuits start, since it will show user support for the initiative.
It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.
Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.
In addition to the money, actually using them would be hundreds of times more complex, and they don't have the provisions Google has, for example accessibility and security services (like actually stopping people stealing accounts on a large scale). All of this can be done, easily even, but it isn't. Politicians don't want to.
https://www.itsme-id.com/business/platform/identification
https://france-identite.gouv.fr/
https://english.rekenkamer.nl/latest/news/2023/03/29/digital...
1. Completely outlawing remote attestation.
2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.
The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.
I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)
It would be a win for GrapeheneOS users though, so I hope they do get support.
You should never base your trust on the other party having a piece of hardware that has restrictions that you approve of. That is fragile, especially in a world where some people are better at making or modifying hardware than others. It is also a fundamental violation of basic freedoms to prevent people from modifying hardware that they own, and not something you can reliably police, and thus is a terrible way to establish trust from a technical perspective.
It's much better to base trust on established cryptographic methods on a protocol level. You treat them as a black box, and the trust is established by the inputs and outputs, not what's inside the box. An example of this would be handing them an image of a digital ID paired with a cryptographic signature that only the government holds the private keys to. They have no computationally viable way to edit the image and still have it match the paired signature. It's easily verified based on the government's public key, and they cannot re-sign it without the government's private key. It doesn't depend on hardware restrictions.
The fact that there is so much focus on hardware means there are likely deeper motives here, e.g. surveillence being dressed up as convenience.
If we gatekeep service access to specific implementation attestations, it becomes much harder for new implementations to emerge. It doesn't really matter who controls the process.
In that sense, it's always bad. In this specific scenario for example it directly blocks emergence of alternative Android ROMs and Android-mostly-compatible devices like the various Linux phones.
There may be times where that downside is worthwhile, but it's always a downside, and we should very strongly discourage attestation wherever possible on that basis for the health of both the tech ecosystem and the business market around it.
It never „let`s check if the mobile user has purchased in-game content server side to prevent pirating it“, its „suspend any account that has signed in with a device that fails safetynet, permanently ban any account that has failed a jailbreak or root checks“
It never „let`s check and calculate statistically cheating probability and move damage calculation server-side so that player cannot godmode or modify their APK“, its „all non-stock phones are cheaters and fraudsters, ban all of them, use invasive anti-cheat, while continuing to have client sided damage and health and energy because it is easier“
Something else has to change first otherwise the only option for businsinses do will be, after 2 is implemented : „while yes it is now possible to allow a neutral third party to control attestation, someone higher-up such as legal has said ONLY google can and we will ban everyone else“
As long as it is easier to don't give a fuck, that is the option that will be taken. z.B. the only reason our publisher allow the removal of play services was finding out that chinese players on definitely not google certified phone spends the most by orders of magnitude and even then it is only relaxing the check for specific region, forcing all EU players to continue to have this checking.
I would be wholly unsurprised if the result was to continue to require attestation but allow GrapheneOS f.e. only in Motorola factory shiped phones and disallow it if the user was involved in any way in the installation of it.
Nice
So, there are certainly useful applications.
I suppose if you've bought a device with GrapheneOS already installed, you can use it to verify the installation. But that could also be achieved by reflashing a known-good image yourself.
Admittedly, most of these are probably nation state-level attacks, but I think some GrapheneOS users are the target of such attacks. Also, it doesn't hurt to run Auditor after a fresh install to protect against the second scenario. It only takes a minute, better safe than sorry.
I struggle to think of a useful use for it on the end-user client side, though.
"Adding support for GrapheneOS" means allowlisting their AVB keys specifically, it does not open a door for 3rd party implementations in general.
If you run GrapheneOS on a different device of your choosing, attestation would fail.
If you run a non-GrapheneOS custom ROM of your choosing, attestation would fail.
1. Smart Cards (for example The Current National ID)
2. Standalone Hardware Tokens & USB Keys
Yes, I'm sure they'll still allow for mail-in of obscure forms to access public services, which will then take 3 weeks to be processed.
If the EU actually wanted to "anticipate" this danger they'd have made it mandatory to include a physical form factor in EUDI wallets. In reality, they don't mind this danger, so it's optional, and you can bet most countries won't include one and make Google and Apple the only options.
It's about ownership, not tinkering. It's about preventing megacorporations from having the last word about how government services can function and how people can interact with them.
1/3 of the population functionally illiterate in Europe seems beyond wild to me.
Are you talking about technical illiteracy? security illiteracy?
Or do you mean they can't read english, which is a very different thing.
How good this can become?
Rates seem to vary state by state, from as low as 8% (denmark) to 43% (romania).
It's also not a clearly defined target, since it would be better to have rates based on the reading comprehension of the average school at year X or something similar.
Is it "functionally illiterate" if you can read the language aloud and not understand it, if you also wouldn't have understood the same thing spoken to you? That seems like it's about comprehension ability, not literacy.
Although one thing that just occurred to me is that if your reading level is low, you might be using all your cognition on reading so that you don't have spare capacity to understand as well - that's frequently the case for me with e.g. Chinese where I can read an entire passage out and then the teacher asks what the passage was about and I'm just thinking "I dunno, I wasn't thinking about that but I think I understood everything".
And that's definitely a different problem to being able to sound out the words, but just having no idea what those words mean, whether you read them or heard them.
And does it have to be your native language, or in any language? Not trying to nitpick, it just feels like the phrase can be usefully applied to a foreign language too.
"functionally illiterate" is the brush that one paints with when describing people of opposing political viewpoint or lower socioeconomic status, for example.
Being kinda dumb and graduating school without reading a book is not a socioeconomic status
https://www.southtyneside.gov.uk/article/16247/Public-Health...
> Guidance tells us the average reading age in the North East is lower than the national average at between 9 to 11 years. To put that into context The Guardian Newspaper has a reading age of 14 and the Sun Newspaper has a reading age of 8.
Health literacy specifically is a major problem in healthcare
https://literacytrust.org.uk/parents-and-families/adult-lite...
> 1 in 4 (26.7% / 931,000 people) adults in Scotland experience challenges due to their lack of literacy skills.
I find that page somewhat ironic as they claim 18% is one in six, but 17.4% is one in five. Seems numeracy is as big a challenge.
The US is no better according to wikipedia
> In 2023, 28% of adults scored at or below Level 1, 29% at Level 2, and 44% at Level 3 or above
> Adults scoring below Level 1 can comprehend simple sentences and short paragraphs with minimal structure but will struggle with multi-step instructions or complex sentences
> Adults scoring at Level 3 or above are considered "proficient at working with information and ideas in texts
Fairly sure that in most countries the average person reads less than 1 book per year, so half of the population reads less than that. I know people who haven't read a book since highschool, when they were forced to.
The Average Briton allegedly reads 15 books per year. I assume its self reported and poorly sampled. Otherwise its very hard to believe (and variance between countries seems way too high) but stats like this (especially more subjective ones like functional literacy) are usually not very useful on their own.
Whoever believes those statistics I have a strait to sell to
Play Integrity actually does both and passing remote attestation is necessary to pass Play Integrity at the strong level. Remote attestation is used for this level, since a modified OS could fool DroidGuard.
I'm sorry if my comment was not clear in what I was referring to.
What makes Android and Apple devices special?
It's an ill-defined "security" measure that should be viciously opposed anywhere it shows up.
Obviously some companies do despite the risks, I wouldn't expect this of any individual company, but as a whole some company will once in a while anyway. So stay vigilant.
Other interested parties can still be trying to steer the ship.
https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...
The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.
Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.
I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.
These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.
Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).
Many countries in the EU already have all of that just done though some national equilevant system (for example here in Finland mainly with bank credentials).
And in fact additonal checks are done when enough money is moving. For example when I signed my bank loan for an apartment I had to sign it again after 24 hours just to be really really sure that I wanted to sign it.
For smaller (but still big enough) stuff a second "second factor" usually kicks in usually in the form of a sms verification after the actual proper login with bank credentials (which has a proper 2 factor auth in itself too)
BankID is _in theory_ a nice technology. However, it is only handed out to people registered with the Swedish tax authorities holding a Swedish bank account.
All daily activities are nowadays bound to BankID: need a doctor's appointment? -> needs BankID; Want to buy something on Blocket? -> needs BankID.
As an European frequently spending some time in Sweden not in possession of a Swedish tax #, I feel very much excluded from online and partially offline activities in this country.
But on the plus-side the Swedish state-eID solutions is planned to be delivered by end of year and hopefully most organizations will start migrating or at least dual-supporting them and in doing so also fix their services to support foreign eID's in the process.
Sure a 24h delay or SMS code are 2 way but they fully fall into the bandaid category.
In the past we used to have disconnected dongles for banking, the bank issued a one-time challange and you entered the response along with your username. Now there are disadvantages with those also but at least it was fully airgapped.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.
Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.
I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman “think of your money!”
The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).
[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
It should simply be the adult account on the device is notified if the device is rooted, effectively no longer in child mode. Go crazy with the warnings on both devices if you want as they've opted in at that point.
To my knowledge, even more sophisticated ZKP schemes still rely on device bound keys to protect against duplication.
Question: how do you make sure the keys are device-bound if you have no attestation about the hardware or operating environment?
Wasn't there some talk about the pressing need for European digital sovereignty recently? Or was that just performative nonsense?
At FOSDEM, we discuss this at great length. There has been some movement, and I am optimistic that it is improving year on year.
I think it was last year that there was a good presentation from them about how they were going to use ZKP and it was indeed very trust inspiring. But do you think the latest digital wallet solution from eg Danish government uses ZKP? Of course not!
I have to say that the tune they play at FOSDEM and what we see put into production are just two different things.
Even if the pace is frustrating, there are still pockets of genuine open-source adoption in the European public sector. For example, we're seeing projects like Germany's OpenDesk or various municipalities moving toward Nextcloud and other sovereign cloud solutions.
The EU Open Source Strategy[0] was announced just under a month ago and it specifically mentions the EU Digital Identity ecosystem, including the European Digital Identity Wallet (EUDI Wallet) mentioned in the article. I agree with OOP that the requirement of an Apple or Google phone goes against these ambitions, and I will contact my elected representatives.
[0]: https://digital-strategy.ec.europa.eu/en/policies/open-sourc...
> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.
Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.
[0] https://github.com/eu-digital-identity-wallet
[1] https://eudi.dev/latest/architecture-and-reference-framework...
And, unless the regulatory environment changes., there probably never will be.
EU regulators have stop listening to tech company lobbyists.
The only short-term solution is more regulation and more EU-centralized solutions, but of course this is only ok until the next chat-control drama.
Long term, in practice we need single European stock market and a way to provide funding to European companies from any member state, so to be competitive globally without being constantly restricted by every member state’s bureaucracy.
New York alone has 2 stock exchanges. I don’t think that companies being listed in London, Paris and Frankfurt (they generally are listed on several anyway) is the actual issue.
Especially these days the stock market is the very final stage anyway, most funding for growing tech companies is private funds, vc etc.
When Trump was invading Denmark, a huge % of Danes would've given a shit about sovereignty from the US. And that's the moment to pounce.
If the EU was trying to decouple they'd mandate at least including a hardware token option as an alternative. This is not new technology, it's existing and has been in use for decades.
They're not trying to decouple, so they haven't mandated it.
There is no reason to believe that the EU (rather than the market participants in the EU) is in any way capable of that regardless of the amount of political will.
Spending massive amounts of money without knowing what you are trying to do or how will just result in a massive amount of grift and corruption
For this specifically EU could surely (only in theory since statistically the average EU bureaucrat is a pompous idiot to whom the word “accountability” is an entirely inconceivable concept) have something developed for a sane price in a reasonable amount of time.
There shouldn't need to be. Realistically for something like this an EU backed highly-audited non-profit should be in place for permanent highly controlled services like this that do not rely on any non-EU entities for it to function.
I hear them complaining but for now, the alternatives are mostly run by hobbyists.
We're starting from so low that even a few dozen millions would help a lot.
Edit: 2000m/7 is 285m, not 466m.
they do.
> 250 million isn't much ...
sigh.
Yes? Wake up, it is 2026.
Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words “Assange” and “rape” in headlines together around the world by that evening.
European countries are, by and large, lapdogs of the USA. It’s sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.
I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.
Obviously, on both side (and beyond) they are nice people trying to plan good things without being too naive. But bragging all day through and destroy all that is in your power is both easier and more attention grabbing than discrete hard work at building better future for everybody.
I feel like the European relationship with the US can really be summed up by the 30 permanent military bases and 84,000 military personnel stationed in their borders and the underlying faith that it's for their own protection, except we better never ask them to leave just in case. Everything else sort of follows from that point.
Putin has about 700 000 personnel in Ukraine right now and isn't making any progress. Barbarossa took about 3 million personnel to start.
Then Trump threatened to invade Greenland. And now the US is in negotiation with NATO (yeah lol) to build 3 new bases there that would be designated as US territory (bwahaha). One thing I like about Trump he drags all the Europeans through the mud so publicly it makes the contradictions impossible to miss, that's why they all hate him but still have to kiss his feet it's awesome. Like Obama made their groveling seem less suspect.
But yeah people are fucking clueless about everything. At least our media is free and not state controlled propaganda right?
It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.
No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.
Unless it becomes necessary because of EU regulation?
Mine is to a collective people that vote in these people. I get that people can change, grow, evolve etc but I didnt trust a german for 60 years, I wont trust an american for at least a generation.
The Wikipedia page only talks about stored data on (optionally foreign) servers without any sort of regard for the laws of the country where that server is located. It ignores the part of the statute where the feds can basically "turn off" that server. And that is the part that the EU is panicking over.
I don’t see what the problem is. That they actually used it first?
Trump made that whole arrangement cracking a little bit, but I still think it's mostly just the optics of it all they are still loyal servants. Nobody in Europe that matters gives a shit about Karim Khan or Francesca Albanese getting debanked and sanctioned, they would and love to do it themselves.
And even if the bipartisan system make a small turn over, the issue is systemic.
If there is a higher level mandate or incentive to switch, people absolutely will - for example, if a government decides en masse to switch away from one OS or platform. [0]. This will likely be hugely influential, as then everyone who wants to communicate effectively with that government needs to make sure that they are compatible - which will likely drive adoption of the alternate technologies over time.
However, IMO the big challenge is MS Office - as much as people like to mention the FOSS Office alternatives, there's still a huge gap to cross before mainstream companies will adopt them. (To paraphrase, no-one gets fired for choosing Microsoft Office.)
Beyond this, on the more 'personal' level you discuss, the picture is more varied than you describe. Some people's elderly parents absolutely can and do switch to different email clients or browsers. Some groups of friends can and do switch messenger platforms - my personal comms are now split roughly 80:20 between Whatsapp (the default) and Signal. (It just took a determined minority deciding to switch, and the others followed.)
> We already have social media, hosting, email, operating systems, messengers and the likes from European providers.
Yes, but they aren't really competitive, as they currently aren't the easy/free/well-marketed/popular options that everyone defaults to when they first get a computer, or that their friends are already using. It's just network effect and inertia.
This can and will change if the need for a reduced dependence on the US continues to be front and center of people's minds. (Note this is mostly driven by the Trump administration's behaviour; the next president could probably heal many of these wounds and our European politicians will move one to caring about something else.)
[0] https://www.rfi.fr/en/france/20260417-france-to-remove-windo...
> EU App Store: Apple Removes Thousands of Apps Due to Digital Services Act Requirements
> Apple’s app removals follow the Digital Services Act, a European law requiring all app traders to display verified contact details, including address, email, and phone number.
https://www.techrepublic.com/article/eu-app-store-apple-digi...
You think apps which wouldn't want to implement Chat Control will remain on the app store?
EU to legislate about Chat Control behind closed doors (https://news.ycombinator.com/item?id=48707719)
And yes, not every regulation destroys monopoly, but regulation is the only thing that could break one.
No. Monopolies are only inevitable if the goods aren't elastic, if there is a large cost of entry into the market, or if its a market you can create a moat that is unsurmountable.
Many markets don't have that even with 0 regulation, but might have second order problems like firms creating unsafe products for example.
But in general regulations almost always even unindentedly raise the cost to enter the market. If you make a new regulation that food needs to be safe, then the company needs to pay a safety inspection that a small home-made recipe might not be able to afford (to give a simple example).
At the same time, we now have uber large corporations due to non elastic parts of supply chain (like land) or moats that are insurmountable (like access to US capital). In which case, the FCC should break up monopolies as the current market is not catering to end users and consumers but to owners, which is why the Stock market has been in a never ending bull run.
That is one of the ways a Moat can happen and a monopoly can occur. For example if you were the only person with a loom and everyone else had to make jumpers by hand, you could make them so cheap they would have to close down.
In some markets those ways you can benefit from scale exist, in others there are drawbacks. In many cases those advantages only exist due to either regulation or lac thereof.
For example ways companies might have an advantage is by manufacturing in cheaper countries, but that only works because those workers have less rights and the cost of transporting is not properly taxed. Carbon taxes on shipping would make manufacturing in China pretty comparatively priced to many european countries. But if you let them contaminate the ocean with crude oil boats, then their manufacturing prowess and cheaper labour cost will offset the shipping cost and destroy a newcomer.
These are very basic examples and they all require nuance but hope it helps to explain it a bit more.
Another example is restaurants, you used to have some advantages from being a chain, but you would still constantly see mom and pop joints compete and even win. But as rent prices keep increasing (the non elastic market of the ground under the lease), suddenly the advantages of scale start beating the disadvantages of worse food and service.
Groklaw was a website that was started by a paralegal to try to understand, explain and report on the SCO lawsuit - who benefited and how they benefited. It ended up expanding into the EU anti-trust action against Microsoft and OpenDocument (and how OpenOffice was created as a trojan horse to defang OpenDocument).
This ad hominem stuff is genuinely worthless.
I've yet to see anyone counter the basic points of that post, because they look pretty solid. Happy if you have a non-vibes based rebuttal.
The same could be said for people who suggest regulation for every problem that comes up, even for problems that were caused by regulation. Maybe we have our blindspots, but the "regulate everything" crowd is much louder and more prevalent on HN than the free market absolutists.
In econ the easiest part is to create a model, the hardest part is seeing it crash against reality. But the basis of monopolies seems to be pretty thoroughly tested. The biggest issues you have now are Chesterton Fence's. Were its hard to know what laws and regulations are therefore safety, parity and economic performance and ones are only creating friction with no benefit due to years of laws being put on top of other laws
> I know "chesterton fence", I smart
4chan greentext style over substance is cute, but its outdated and wasnt that funny a decade ago
if you have nothing to add, then why reply?
I am pro-regulation, where regulation for me is busting monopolies, preventing tragedy of commons, setting necessary quality checks, forbidding forced labor. I am against regulation, when it's chat control, 100% tarrifs on whatever, forbidding working on Friday past 17:00 and completely on Weekends. < Why do I even have to point this out?
There's no nuance remaining in this world, people (the proselytizing nerd types) emotionally attach themselves to sophistry that is the spelled-out economic theories, while completely disregarding common sense. Missing forest for trees.
In short - fuck America.
first comment was both cheeky and had a "i agree" at the end. Those are both niceties. Not sure why I would have to explain tone from mild critique to being a wee cu nt in back to back messages
> I am pro-regulation, where regulation for me is busting monopolies, preventing tragedy of commons, setting necessary quality checks, forbidding forced labor. I am against regulation
What does any of this nonsense have anything to do with me replying to someone who had a basic question about the non existance of monopolies in unregulated markets?
I explained the basic mechanisms for monopoly creation which are all easy math formulas that happen in bacteria growth too because "if nothing stops me I eat everything" is equally valid in any env where there is growth
> There's no nuance remaining in this world
coming from anti-intellectual "oh you know chesterton fence" responses is pretty ironic.
Btw if you are going to call people out for using big words maybe dont come out with the most 17 year old "people arent as smart as me as they emotionally attach themselves to sophistry while I am a nuanced rational ubermench". It reeks of intellectual insecurity.
i asked for empirical evidence against the mechanisms of monopoly creation because moats, regulation and inelastic markets are the most studied and reproducible mechanisms in anture, economics and any growth env. The formula just converges to infinity
> In short - fuck America.
its like 3am there, everyone here is asian and european rn... you are fighting windmills
A lot of these were international. Just read up on "Cartel capitalism".
https://www.cambridge.org/core/journals/enterprise-and-socie...
The European Steel and Coal Community (precursor of the EU) was also involved in the effort to stop these. In general this has been something the EU has been involved in since its inception and the best action against monopolies is to not let them form in the first place (why there is so few of them in general in most developed countries. Though that is now slowly changing it seems)
Keep in mind that just having a big market share isn’t a monopoly, being able to charge monopoly prices is.
No.
A better answer would be 'not always'.
The proposed regulations forcing everybody to use google or apple are ridiculous and very much the opposite of the kind of regulations we need though...
(nit: I assume you meant "marketshare becomes unavailable")
So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".
The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.
The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.
Market solutions are good for several things, this isn't one of them.
Electing to not do something impossible and framing it as a surrender is strange to me.
I remember when a Youtuber asked live viewers to "vote" by typing emojis, and a whole bunch of viewers got their Google accounts banned for spamming[1]. Google is also famously averse to user support (understandable given the scale of their free services), so individual remedy is unlikely.
I can already see the new ransomware: "pay us or we'll send spam from your gmail and you'll lose your digital ID".
[1] https://www.engadget.com/2019-11-10-youtube-reinstates-banne...
Also people are dependent on Play or App store. DB does not offer the app for direct download.
That would solve the open hardware/OS "problem" on the device entirely, as there's no trusted hardware or OS signature required anymore. You could argue that this adds the possibility of a MITM attack on the phone (since you don't know what you sign anymore or who you are providing with your PIN, as the card has no display and no PIN pad), but I wonder if mitigating this is worth all the lock-in concerns that phone attestation goes hand in hand with.
As it is, all EU ID cards already have mandatory strong cryptographic authentication, but in a form that's usable only for in-person ID checks (under the corresponding ICAO biometric identity document standards), not for remote ID attestation. This is frustratingly close, but not what's needed.
If you disallow installing applications post-issuance (which is probably a good idea for ID cards), you don't even have to worry about VM runtime integrity either, as there will be only your application running on the card.
If I am not able to use any digital service or product on a computer that I could have built entirely myself (or had anyone of my choice build for me), running code I could have written entirely myself (or had anyone of my choice write for me), then that is completely unacceptable.
And complement it with hardware tokens for highly sensitive applications.
Passkeys could have been that, but they were quickly subverted by the industry.
They will frame it as "child porn trafficking patriot saving act" and majority will vote in favour without reading fineprint.
It should be an open standard that's local first. Government issues certificate, user loads it into any supported client app on any platform (official, open-source, Google/Apple Wallet, etc). The user should then be able to selectively share data from the certificate with third-parties, directly between the client-app and the third-party, using an open standardized protocol/format. The important challenge is that we obviously shouldn't have to share the entire certificate (which would include all data in it), there shouldn't be a static subject pubkey which creates linkability between data-shares, and obviously we'd need privacy-focused data fields like {"isover18": true} in addition to full DoB.
Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.
Moral of the story: everyone has a smartphone.
"Your papers, please"
https://openwallet.foundation/
SPRIND: https://github.com/openwallet-foundation/eudiplo
Animo: https://github.com/openwallet-foundation-labs/mdoc-ts
and we do engage with NGOs and governments across the EU.
In the end it is all being used to track and control us.
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Never truer words ever spoken. And yet we keep slipping down this slope again and again and again and it seems there is never a way to climb back out.
1. Smart Cards (The Current National ID)
2. Standalone Hardware Tokens & USB Keys
EUID has "provider/verifier" endpoint which communicates with your website to inform you are indeed 18+ age.
Link: https://github.com/eu-digital-identity-wallet/eudi-srv-verif...
The github page has graph how it works.
So Government can track your accounts via IP,Timestamps, Token (if website saves it).
Just incase you dont bother visiting the github page the simplified flow works like this:
1) You scan QR code 2) Verification 3) Provider/Verifier informs website +18 age
So if i verify my age then watch some material which doesn't agree with with my government values like females with male genitals. I'd be royally screwed if government wishes to pursue.
It captures biometrics and is used across India to easily verify identification using OTP on mobile. Used across almost every sphere - bank accounts, passport, financial services like stocks/mutual funds etc.
You get a unique adhar-id (or can generate virtual IDs if sharing temporarily) to verify your identity across any service.
I agree of course, Europe should not be using US services for critical infrastructure. But more importantly I think that we are private citizens. The government should know as least as possible about us. We on the other hand should know every single move, decision, and discussion they have while they sit on the chairs we paid for.
The irony in this as a European is that in the US people don’t even need national ID in the sense we got in Europe. They travel using driving license or library card. We got mandatory passports with biometric data - refusal to provide that data is practically impossible.
The corporations have the tech and network effects on their side.
The problem is not that the ID wallets require Google and Apple. The problem is that we're getting eaten alive by this Big Brother called EU (lead by the UK initiatives) that is starting an unprecedented control over the population.
These ID wallets should be all optional, there should NOT be any age verifications.
I remember ~10 years ago when Europe was laughing at China's face detection systems to track citizens.
We're becoming much worse than that now.
There is one thing after the next, under Von der Leyen and Metsola, its ridiculous.
Duopoly but yea. Because there is no third alternative. Microsoft failed/gave up with Windows Phone. The people trying to fix secure government services can't really tackle that issue, but the systems needs to be built now anyway.
Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.
I question that premise.
Vendor lock-in is real
Only reasonable explanation I have, other than pure incompetence is that this is in a development for quite a long time and current political situation become obvious problem only in last few years.
This is not safe.
No thanks, I don't want any of that for obvious security reasons
From fingerprint/face id to digital id..
Like banking apps are now using play protect/depending on Google.
(Just a matter of time Google/Apple will be a banks themselves, as is the danger with governments)
Ofcourse the world could be a more open place, but constraint, rules and control are too pleasing to not implement, sadly.
Without the proper laws and proper leaders of law enforcement that protect an individuals’ right to transact, one’s rights were always just a technological advance away from being taken away.
God help you if you need to try and fix a serious problem. Sorry, you loaded a video of the first dance of your wedding to YouTube and now have a copyright strike, now you can't file taxes.
Hopefully you are famous enough on Twitter to get someone in Google to fix this.
The government gets data to “manage” the citizens and the companies get data to “manage” consumer and the power structure is protected.