The issue isn't just the technical dependency.

It's also the fact that it forces each citizen to pay a few hundred Euros to companies which then campaign against their very rights.

Citizens get no support of any kind in case of issues, and has to enter a contractual agreement which is ridiculously asymmetrical, where the company has little to no responsibility of any kind, but has very ample rights to track the other party in extremely creepy ways.

This is only reflects their market share for now. The EU legally forbids member states from making a smartphone mandatory to access public services. The EU explicitly anticipated the danger of relying entirely on the iOS and Android and designed the EUDI Wallet framework to allow for other physical form factors. For example;

1. Smart Cards (for example The Current National ID)

2. Standalone Hardware Tokens & USB Keys

Special-casing support for GrapheneOS would be a band-aid, they should find a way to avoid requiring remote attestation in the first place, so anyone can use whatever OS they like on whatever hardware they like.

The lawsuits, sadly, won't matter. "Security" (or, rather, totalitarian control!) is more important than the 1% of nerds who care enough to tinker with their phone.

Also, as the article says, Play Integrity is most likely a violation of the DMA. Send a message to the EU DMA Team if you live in the EU and are affected by this (or affected by this in the future, if you plan to switch to an alternative):

https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...

The more examples they get of actual citizens that get hit by this, the better. I have recently sent messages when Google introduced their new device-based recaptcha and when Volkswagen started blocking GrapheneOS. Of course, do not yell, explain patiently and with good argumentation why you are affected by Play Integrity and how you believe Play Integrity is used to enforce the duopoly + goes counter EU sovereignty.

Also, for apps that use Play Integrity, e-mail the company. React to their boilerplate replies with follow-ups (this slowly seems to get some headway with VW). Also leave a one-star review on their app, explaining in the review that they broke support for your system.

I know that this can all seem hopeless. But especially GrapheneOS is getting a lot of momentum now, rapidly gaining more users. It feels like it is a moment in time where we can seriously influence things for the better. There are ~500,000s users now. If everyone actively participates, we can move the needle.

GrapheneOS supports attestation too, so even if they succeed it will likely just turn into a gift to Google, Apple and GrapheneOS. It's hardware attestation that needs to be opposed as it's inherently user hostile, allowing a single popular Android distro doesn't do much in the grand scheme of things.

As a technical point, note that however there is no legal requirement to follow this reference. Wallet providers can choose a different implementation.

Motorola/GrapheneOS, and FairPhone/e/OS.

There is too much corruption, nothing can be done at this point. Atleast CIE app works on graphene for now so I can do everything else on the web. If they block that idk what I would even do.

Honestly, as long as the architectures is fatally flawed (Even if convenient) it's just bandaids over a larger issue.

These mobile id's are too powerful, signing contracts, transfering all your funds or taking loans, regulation is also papering it over a bit by requiring high-stakes lenders,etc to do additional checks.

Germany was going in the right direction imho, they NFC enabled their ID cards (Sweden has info on them but no enablement procedures) that is then paired with the app, so the card acts as a 2nd factor that makes the app itself less of a security issue since a user will be required to physically enable it (sadly the NFC pairings are kinda fiddly.. but I'd take that as a security option for all non-trivial transfers).

I'm ok with enforcing hardware security. Both for banks and governments.

But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.

Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.

Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.

It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.

So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).

Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.

Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.

Yes, and there is an open source spec [1] that doesn’t require Google/iOS Attestation but “preferably” providers will make their wallet app available on App Stores [1]:

> To ensure that the User can trust the Wallet Solution, Wallet Providers preferably make their certified Wallet Solutions available for installation via the official app store of the relevant operating system (e.g., Android, iOS). This allows the operating system of the device to perform relevant checks regarding the authenticity of the app.

Of course the chances of any important business implementing a side channel option is effectively zero. Maybe some government agencies will offer the option though.

[0] https://github.com/eu-digital-identity-wallet

[1] https://eudi.dev/latest/architecture-and-reference-framework...

> Wasn't there some talk about the pressing need for European digital sovereignty recently?

At FOSDEM, we discuss this at great length. There has been some movement, and I am optimistic that it is improving year on year.

Not really. EU is actually trying to decouple. But in many cases there are not any homegrown alternatives to support. There is not a single company in EU that could replace, even a considerable part, of software stack provided by Google and Apple.

And, unless the regulatory environment changes., there probably never will be.

> Or was that just performative nonsense?

Yes? Wake up, it is 2026.

The US can call Austria in 5 minutes and with no burden of proof get the airspace permit for a head of sovereign state revoked and the plane swatted instantly upon landing, because someone might have been on board (he wasn’t) whose only real crime was embarrassing the USA by exposing their fundamentally unconstitutional lawbreaking.

Same goes with the prosecutors in Sweden; a phone call and the US got, not charges (as that would actually be official misconduct in Sweden), but enough of an official statement from a prosecutor to get the words “Assange” and “rape” in headlines together around the world by that evening.

European countries are, by and large, lapdogs of the USA. It’s sad. And then the US president turns around and stabs them in the back by threatening invasion and annexation, or complete disregard for the fundamental obligations of NATO members.

I really don’t know what the fuck the Europeans are thinking by playing the US’s stupid games. As we see time and time again, it won’t be repaid in kind.

Europe will never have digital sovereignty from the US.

It will take 100 years and an extremely expensive, government-mandated reimplementation of every critical US tech service and company.

No EU country is putting up budget for this, and no private enterprise is going to do it because building a worse version of AWS just so that it is "European" makes no financial sense and would most likely just fail anyway.

Aren't monopolies is what we end up by default if have no regulation at all?

And yes, not every regulation destroys monopoly, but regulation is the only thing that could break one.

Unless regulations explicitely incorporate how to handle incumbents & newcomers. One instance of that is MMTIS (multi modal passenger information), which explicitly states innovation and new players as a goal. There are other similar examples.

> Regulations create monopolies. Even when regulations are aimed at curbing the control of giants, smaller players usually can't afford them and lose market share. This is actually taught as a competitive advantage strategy in business school. Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost.

The only way to guarantee a monopoly is to have a total lack of regulation. It's known that every "free" market will tend towards monopoly due the 1% law. Regulations are the only way to actually guarantee free markets because perfect free markets only exists in abstract, not in reality. Sometimes, a free market is the wrong solution and you need a regulated monopoly instead and with identity that's the best solution. Why? Because identity is unique to the individual. A individual must (in theory) only have one identity and with very extreme and usually well documented exceptions, such identity doesn't change. The state is the one that must provide a good way for identity and if smaller countries doesn't have the resources, then big countries should provide for all. Also, it removes incompatibility inter-countries while keeping private interests out.

The state should have the sole monopoly on attesting to anyone identity. Because they are the only ones that are not affected by market conditions. This is how countries that have advanced in this topic actually work. If individual states can't reach a common solution, then the collective must do so. The collective failed here because it recommended a private solution rather than mandated a european one. Private sector must not dictate what or how identity is attested, because the private sector has it's profit pursuing agenda, state must evaluate solutions but it's up to the states to run them and implement them.

Market solutions are good for several things, this isn't one of them.

My intuition is that this is not necessarily true, but probably often true in practice but perhaps someone more educated on the matter can speak on that. It must also depend on the expensiveness of the regulation in question. Since in tons of areas regulations are absolutely vital so that for example our buildings don’t collapse, our food remains non-toxic and the medicine we buy is not the pharmacological equivalent to russian roulette the goal should then be to optimise the cost performance of regulations.

> Corporations lobby the government to implement laws that seem to hurt them but in actuality create an uneven playing field where marketshare becomes available due to the higher implementation cost

(nit: I assume you meant "marketshare becomes unavailable")

So you mean that regulations that are created based on lobbying by corporations help them become monopolies? Sure, that makes sense. But thats different from a blanket "Regulations create monopolies".

Regulations __can__ create monopolies. DMA is a regulation, but it does not have the shortcomings you mentioned.

The only problem is, EU does not control these devices, Google and Apple and by extension the US government does.

There are AFAIK no plans to completely remove the offline ID everyone is currently required to carry, so I doubt there will be similar rulings for EUDI as long as it remains an optional alternative for people who want to use online services.

My French ID card has the features, but also the French digital ID app also requires Play Integrity...

Can you elaborate?

But this does not allow tracking nor marketing, so why would they do that?

A few years ago as I was working for a local government, a similar discussion started, but quickly finished after the project owner valiantly displayed her dumbphone.

Only months later did I learn that her husband was investigated for misappropriation of funds, so keeping a minimal digital footprint was important for her.

Moral of the story: everyone has a smartphone.

To paraphrase Napoleon - because India has the will to do it, and the EU does not.

You can just continue using native apps, just dont include / depend on proprietary attestation APIs such as safetynet

I think EU is warming up to the possibility that relying on US tech is has strategic consequences.

There are viable third alternatives which do not require building a full smartphone stack. The national eID in Denmark, MitID, is an app "protected by" Play Integrity, but at least there are two non-smartphone alternatives available in the form of either a TOTP code generator or a FIDO2 chip which you can get for free if you can't or won't buy a smartphone.

Age verification solutions could also be built on dedicated hardware tokens, even though the tokens required to build a ZKP or blind signature based solution may not be available off the shelf right now.

> but the systems needs to be built now anyway.

I question that premise.

They can't tackle issue oft establishing a 3rd popular mobile operating system, true. But they could support Desktop Linux or AOSP.

Windows Phone wouldn't be much help here, still an US company.

Yes, but you can't sign the device, that is what Google and Apple do.

From fingerprint/face id to digital id..

Like banking apps are now using play protect/depending on Google.

(Just a matter of time Google/Apple will be a banks themselves, as is the danger with governments)

Ofcourse the world could be a more open place, but constraint, rules and control are too pleasing to not implement, sadly.

Because Apple has always been a closed platform whereas Android started out being relatively open. For Android there is an alternative to Play Integrity which would enable governments to get remote attestation assurance on non-Google Android based operating systems like GrapheneOS, but that alternative does not even exist in the Apple ecosystem.

Yeah, what alternative is there for iOS except the framework that Apple supplies?