this post was submitted on 28 Jul 2025
132 points (99.3% liked)

Privacy

2065 readers
55 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
danielintempesta@programming.dev
132
The new age verifying app for the EU will only accept Google Play integrity for Android, de-facto banning any aftermarket OS like GrapheneOS (github.com)
submitted 6 days ago by Blaze@piefed.zip to c/privacy@programming.dev
38 comments fedilink hide all child comments
 

Taken from the readme of the app on github:

The current release provides only basic functionality, with several key features to be introduced in future versions, including:

App and device verification based on Google Play Integrity API and Apple App Attestation

Additional issuance methods beyond the currently implemented eID based method.

These planned features align with the requirements and methods described in the Age Verification Profile.

There is an issue opened to remove this as it's basically telling us that to verify our age in the EU an American corporation has the last word, making it not only a privacy nightmare but a de-facto monopoly on the phone market that will leave out of the verification checks even the fairphone (european) with /e/os.

you are viewing a single comment's thread
view the rest of the comments
[–] vapeloki@lemmy.world 1 points 4 days ago* (last edited 4 days ago) (7 children)

Like what? Dude! There is no app you're can install, so there's no requirement for Google APIs.

I think you have no idea what you are talking about, what the issue is, and why the scope of the project matters.

Let me try to summarize this:

EU policies require the ability to verify COUNTRY SPECIFIC implementations to be verifiable. The reference implementation linked above uses a Google API for it.

Countries, that implement the actual apps are free to offer other verification methods then the Google API.

Italy has an app currently, and this app requires this stupid Google API, yes, but that is not the above project.

The websites will never communicate with the play services! They communicate with the APIs of the authorities issuing the state ID's. The App must be verifiable to protect the user! We have a state ID app in Germany. It is open source and I compiled it for my Linux desktop and graphene OS based phones. Guess what, yeah, it works.

What many are missing here: the purpose of the verification and the actual authentication workflow.

Also, let me just cite the readme of the project:

This is an initial version of the software, developed solely for the purpose of demonstrating the business flow of the solution. It is not intended for production use, and does not yet include the full set of functional, security, or integration features required for a live deployment.

But we are all going crazy because some minimal example code relays on Google APIs ....

Please stop pushing such utterly wrong and confusing bullshit.

[–] IceFoxX@lemmy.world 1 points 3 days ago* (last edited 3 days ago) (6 children)

btw

[–] vapeloki@lemmy.world 1 points 3 days ago (5 children)

I know this issue, yes? And now?

[–] IceFoxX@lemmy.world 1 points 3 days ago (1 children)

Just keep believing in the good in people among politicians... even if it is foreseeable where they are heading

[–] vapeloki@lemmy.world 1 points 3 days ago (1 children)

Wtf are you now talking about? The politicians already defined the digital rights act.

And politicians don't write software.

[–] IceFoxX@lemmy.world 1 points 3 days ago (1 children)

yes, many things would have been impossible half a year or a year ago... maybe you haven't noticed that vpn bans are already an issue... chat control is also a hot topic again, as is the problem of encryption... of course the politicians don't write it themselves, but they don't need it either... but they are so damn extremely naive that it is an extremely dangerous naivety that doesn't even realize that democracy is currently under attack.

[–] vapeloki@lemmy.world 2 points 3 days ago (1 children)

You are absolutely right about end-to-end encryption and VPN. Essentially everything that has to do work law enforcement.

End we should focus on those topics. They are political issues and have lasting consequences. That a reference implementation will require Google APIs in the future is not an issue worth rageing about beyond "That is a bad example and violates EU law".

[–] IceFoxX@lemmy.world 1 points 3 days ago

there is just an extremely high probability that they will adapt to the extent that customroms are definitely excluded, because they are even more of a thorn in their side. they would be happy if, for example, grapheneOS was no longer an issue or hardened Android variants. root etc. should be just as problematic for them, so you can be sure that unlocked bootloaders will be excluded sooner or later. salami tactics

load more comments (3 replies)
load more comments (3 replies)
load more comments (3 replies)