this post was submitted on 27 Jul 2025
541 points (99.3% liked)

Technology

73534 readers
2451 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] artyom@piefed.social 226 points 6 days ago* (last edited 6 days ago) (2 children)

Please don't link to Reddit. Context below:

The EU is currently developing a whitelabel app to perform privacy-preserving (at least in theory) age verification to be adopted and personalized in the coming months by member states. The app is open source and available here: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui.

Problem is, the app is planning to include remote attestation feature to verify the integrity of the app: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui?tab=readme-ov-file#disclaimer. This is supposed to provide assurance to the age verification service that the app being used is authentic and running on a genuine operating system. Genuine in the case of Android means:

  • The operating system was licensed by Google

  • The app was downloaded from the Play Store (thus requiring a Google account)

  • Device security checks have passed

While there is value to verify device security, this strongly ties the app to many Google properties and services, because those checks won't pass on an aftermarket Android OS, even those which increase security significantly like GrapheneOS, because the app plans to use Google "Play Integrity", which only allows Google licensed systems instead of the standard Android attestation feature to verify systems.

This also means that even though you can compile the app, you won't be able to use it, because it won't come from the Play Store and thus the age verification service will reject it.

The issue has been raised here https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/10 but no response from team members as of now.

[–] dubyakay@lemmy.ca 53 points 6 days ago (2 children)

So is there a way to apply pressure on the EU to think this through first? Surely they could have different ways that doesn't lock them in to google services.

[–] artyom@piefed.social 48 points 6 days ago (1 children)

According to the users in that issue, the mere application of the API is illegal, as is the dependency. Sooo I dunno what kind of PACs there are in the EU but I would be leaning on and contributing to those.

[–] ggtdbz@lemmy.dbzer0.com 16 points 5 days ago (1 children)

I do feel like that’s a precarious state to leave this in, especially if they’re developing the backend for it.

Is there even enough momentum for a SKG-style wave of coverage? It would need to be justified properly by citing things like the Tea app data leak, to make a strong case (to political pencil pushers) for the danger of tying personal information to profiles or even to platforms. Otherwise the only thing they’ll see is “gamers want to make porn accessible to children”.

I don’t know. This whole situation boils my blood because I really care about online anonymity, and this is kind of nightmare scenario shit for me. I’m not even in the UK or EU.

[–] Ulrich@feddit.org 2 points 5 days ago

I’m not even in the UK or EU.

We've had this shit in the US for a while now.

[–] iii@mander.xyz 10 points 5 days ago* (last edited 5 days ago) (2 children)

To avoid people from simply copying the "age proof" and having others reuse it, a nonce/private key combo is needed. To protect that key a DRM style locked down device is necessary. Conveniently removing your ability to know what your device is doing, just a "trust us".

Seeing the EU doesn't make any popular hardware, their plan will always rely on either Asian or US manufacturers implementing the black-box "safety" chip.

[–] Redjard@lemmy.dbzer0.com 2 points 5 days ago (1 children)

If it is about hiding some data handled by the app, that will be instantly extracted.
There are plenty of people with full integrity on rooted phones. It's really annoying to set up and keep going, and requiring that would fuck over most rooted phone/custom os users, but someone to fully inspect and leak everything about the app will always be popping up.

[–] iii@mander.xyz 1 points 4 days ago (1 children)

If it is about hiding some data handled by the app, that will be instantly extracted.

Look at the design of DRM chips. They bake the key into hardware. Some keys have been leaked, I think playstation 2 is an example, but typically by a source inside the company.

[–] Redjard@lemmy.dbzer0.com 1 points 4 days ago (1 children)

That applies to play integrity, and a lot of getting that working is juggling various signatures and keys.
The suggestion above which I replied to was instead about software-managed keys, something handed to the app which it then stores, where the google drm is polled to get that sacred piece of data. Since this is present in the software, it can be plainly read by the user on rooted devices, which hardware-based keys cannot.

Play integrity is hardware based, but the eu app is software based, merely polling googles hardware based stuff somewhere in the process.

[–] iii@mander.xyz 1 points 4 days ago

merely polling googles hardware based stuff

I understand. In the context of digital sovereignty, even if the linked shitty implementation is discarded (as it should be), every correct implementation will require magic DRM-like chip. This chip will be made by a US or Asian manufacturer, as the EU has no manufacturing.

[–] General_Effort@lemmy.world 1 points 5 days ago (1 children)

The key doesn't have to be on your phone. You can just send it to some service to sign it, identifying yourself to that service in whatever way.

[–] iii@mander.xyz 1 points 4 days ago* (last edited 4 days ago) (1 children)

It's that "whatever way" that is difficult. This proposal merely shifts the problem: now the login to that 3rd party can be shared, and age verification subverted.

[–] General_Effort@lemmy.world 2 points 4 days ago (1 children)

A phone can also be shared. If it happens at scale, it will be flagged pretty quickly. It's not a real problem.

The only real problem is the very intention of such laws.

[–] iii@mander.xyz 1 points 4 days ago (1 children)

If it happens at scale, it will be flagged pretty quickly.

How? In a correct implementation, the 3rd parties only receive proof-of-age, no identity. How will re-use and sharing be detected?

[–] General_Effort@lemmy.world 1 points 4 days ago (1 children)

There are 3 parties:

  1. the user
  2. the age-gated site
  3. the age verification service

The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.

[–] iii@mander.xyz 1 points 4 days ago* (last edited 4 days ago) (1 children)

from a single user

Neither 2 nor 3 should receive information about the identity of the user, making it difficult to count the volume of requests by user?

[–] General_Effort@lemmy.world 1 points 3 days ago (2 children)

Strictly speaking, neither needs to know the actual identity. However, the point is that both are supposed to receive information about the user's age. I'm not really sure what your point is.

[–] iii@mander.xyz 1 points 3 days ago (1 children)

I must not be explaining myself well.

both are supposed to receive information about the user's age

Yes, that's the point. They should be receiving information about age, and age only. Therefore they lack the information to detect reuse.

If they are able to detect reuse, they receive more (and personal identifying) information. Which shouldn't be the case.

The only known way to include a nonce, without releasing identifying information to the 3rd parties, is using a DRM like chip. This results in the sovereignty and trust issues I referred to earlier.

[–] General_Effort@lemmy.world 1 points 3 days ago (1 children)

The site would only know that the user's age is being vouched for by some government-approved service. It would not be able to use this to track the user across different devices/IPs, and so on.

The service would only know that the user is requesting that their age be vouched for. It would not know for what. Of course, they would have to know your age somehow. EG they could be selling access in shops, like alcohol is sold in shops. The shop checks the ID. The service then only knows that you have login credentials bought in some shop. Presumably these credentials would not remain valid for long.

They could use any other scheme, as well. Maybe you do have to upload an ID, but they have to delete it immediately afterward. And because the service has to be in the EU, government-certified with regular inspections, that's safe enough.

In any case, the user would have to have access to some sort of account on the service. Activity related to that account would be tracked.


If that is not good enough, then your worries are not about data protection. My worries are not. I reject this for different reasons.

[–] iii@mander.xyz 1 points 3 days ago* (last edited 3 days ago) (1 children)

is being vouched for by some government-approved service.

The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.

And because the service has to be in the EU, government-certified with regular inspections, that's safe enough

Of course not: both intentional and unintentional leaking of this information already happens, regularly. That information should simply not be captured, at all!

Additionally, what happens to, for example, the people in Hungary(*)? If the middle man government service knows when and who is requesting proof-of-age, it's easy to de-anonymise for example users of gay porn sites.

The 3rd party solution, as you present it, sounds terribly dangerous!

(*) Hungary as a contemporary example of a near despot leader, but more will pop up in EU over the coming years.

[–] General_Effort@lemmy.world 1 points 3 days ago (1 children)

The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.

It would send the proof to you. It would not know what you do with it. I gave an example in the previous post how the identity of the user could be hidden from the service.

If the middle man government service knows when and who is requesting proof-of-age, it’s easy to de-anonymise for example users of gay porn sites.

It would be a lot easier to get that information from the ISP.

[–] iii@mander.xyz 1 points 3 days ago (1 children)

I gave an example in the previous post how the identity of the user could be hidden from the service.

In both your examples the government service has your full identity, then pinky promises to forget it.

Unless I'm misunderstanding something?

It would be a lot easier to get that information from the ISP.

Not quite the same, as IP addresses are shared through NAT, VPNs exist, etc. With the proposed legislation it is illegal for website operators to deliver content to known VPN ips, as they cannot confirm that the end user isn't a EU subject.

[–] General_Effort@lemmy.world 1 points 3 days ago (1 children)

In both your examples the government service has your full identity, then pinky promises to forget it.

It can be like buying alcohol in a store. They look at you and see your age. Or if it's unclear, the store clerk asks your idea and promptly forgets all about it. Except you're not buying alcohol but a login for some age verifier.

[–] iii@mander.xyz 1 points 3 days ago* (last edited 2 days ago) (1 children)

So yes, they get your identity, then promise to forget it.

That's a worst of both worlds proposal: it makes it trivial to deanonymise people, and it doesn't solve the replay attacks.

[–] General_Effort@lemmy.world 1 points 2 days ago (1 children)

Maybe buying alcohol works differently where you live.

[–] iii@mander.xyz 1 points 2 days ago

They ask for ID card indeed, making it super easy to just make a copy. On top of that, your payment details are stored. You're on camera. Etc.

Super easy to automate deanonymization. (1).

[–] Appoxo@lemmy.dbzer0.com 2 points 5 days ago (1 children)

Wouldnt it be enough to verify through IMEI to make sure the OS isnt emulated?

[–] artyom@piefed.social 7 points 5 days ago (1 children)
[–] Appoxo@lemmy.dbzer0.com 1 points 5 days ago (2 children)

Is it tied to my real identity?
If not it seems to me that it should be sufficient as to serve as a security this phone is legit and not emulated/compromised.

[–] artyom@piefed.social 7 points 5 days ago* (last edited 5 days ago)

Yes it's tied to your identity. That's what PII is. It's also not tied at all to your OS.

[–] Redjard@lemmy.dbzer0.com 1 points 5 days ago

In the eu, phone numbers by law are tied to state identities.
And the phone provider can naturally resolve their sim IDs down to the phone number they are assigned to.
Anything related to celltower interactions is PII.