So is there a way to apply pressure on the EU to think this through first? Surely they could have different ways that doesn’t lock them in to google services.
According to the users in that issue, the mere application of the API is illegal, as is the dependency. Sooo I dunno what kind of PACs there are in the EU but I would be leaning on and contributing to those.
I do feel like that’s a precarious state to leave this in, especially if they’re developing the backend for it.
Is there even enough momentum for a SKG-style wave of coverage? It would need to be justified properly by citing things like the Tea app data leak, to make a strong case (to political pencil pushers) for the danger of tying personal information to profiles or even to platforms. Otherwise the only thing they’ll see is “gamers want to make porn accessible to children”.
I don’t know. This whole situation boils my blood because I really care about online anonymity, and this is kind of nightmare scenario shit for me. I’m not even in the UK or EU.
To avoid people from simply copying the “age proof” and having others reuse it, a nonce/private key combo is needed. To protect that key a DRM style locked down device is necessary. Conveniently removing your ability to know what your device is doing, just a “trust us”.
Seeing the EU doesn’t make any popular hardware, their plan will always rely on either Asian or US manufacturers implementing the black-box “safety” chip.
If it is about hiding some data handled by the app, that will be instantly extracted.
There are plenty of people with full integrity on rooted phones. It’s really annoying to set up and keep going, and requiring that would fuck over most rooted phone/custom os users, but someone to fully inspect and leak everything about the app will always be popping up.
If it is about hiding some data handled by the app, that will be instantly extracted.
Look at the design of DRM chips. They bake the key into hardware. Some keys have been leaked, I think playstation 2 is an example, but typically by a source inside the company.
That applies to play integrity, and a lot of getting that working is juggling various signatures and keys.
The suggestion above which I replied to was instead about software-managed keys, something handed to the app which it then stores, where the google drm is polled to get that sacred piece of data. Since this is present in the software, it can be plainly read by the user on rooted devices, which hardware-based keys cannot.
Play integrity is hardware based, but the eu app is software based, merely polling googles hardware based stuff somewhere in the process.
I understand. In the context of digital sovereignty, even if the linked shitty implementation is discarded (as it should be), every correct implementation will require magic DRM-like chip. This chip will be made by a US or Asian manufacturer, as the EU has no manufacturing.
It’s that “whatever way” that is difficult. This proposal merely shifts the problem: now the login to that 3rd party can be shared, and age verification subverted.
The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.
So is there a way to apply pressure on the EU to think this through first? Surely they could have different ways that doesn’t lock them in to google services.
According to the users in that issue, the mere application of the API is illegal, as is the dependency. Sooo I dunno what kind of PACs there are in the EU but I would be leaning on and contributing to those.
I do feel like that’s a precarious state to leave this in, especially if they’re developing the backend for it.
Is there even enough momentum for a SKG-style wave of coverage? It would need to be justified properly by citing things like the Tea app data leak, to make a strong case (to political pencil pushers) for the danger of tying personal information to profiles or even to platforms. Otherwise the only thing they’ll see is “gamers want to make porn accessible to children”.
I don’t know. This whole situation boils my blood because I really care about online anonymity, and this is kind of nightmare scenario shit for me. I’m not even in the UK or EU.
We’ve had this shit in the US for a while now.
To avoid people from simply copying the “age proof” and having others reuse it, a nonce/private key combo is needed. To protect that key a DRM style locked down device is necessary. Conveniently removing your ability to know what your device is doing, just a “trust us”.
Seeing the EU doesn’t make any popular hardware, their plan will always rely on either Asian or US manufacturers implementing the black-box “safety” chip.
If it is about hiding some data handled by the app, that will be instantly extracted.
There are plenty of people with full integrity on rooted phones. It’s really annoying to set up and keep going, and requiring that would fuck over most rooted phone/custom os users, but someone to fully inspect and leak everything about the app will always be popping up.
Look at the design of DRM chips. They bake the key into hardware. Some keys have been leaked, I think playstation 2 is an example, but typically by a source inside the company.
That applies to play integrity, and a lot of getting that working is juggling various signatures and keys.
The suggestion above which I replied to was instead about software-managed keys, something handed to the app which it then stores, where the google drm is polled to get that sacred piece of data. Since this is present in the software, it can be plainly read by the user on rooted devices, which hardware-based keys cannot.
Play integrity is hardware based, but the eu app is software based, merely polling googles hardware based stuff somewhere in the process.
I understand. In the context of digital sovereignty, even if the linked shitty implementation is discarded (as it should be), every correct implementation will require magic DRM-like chip. This chip will be made by a US or Asian manufacturer, as the EU has no manufacturing.
The key doesn’t have to be on your phone. You can just send it to some service to sign it, identifying yourself to that service in whatever way.
It’s that “whatever way” that is difficult. This proposal merely shifts the problem: now the login to that 3rd party can be shared, and age verification subverted.
A phone can also be shared. If it happens at scale, it will be flagged pretty quickly. It’s not a real problem.
The only real problem is the very intention of such laws.
How? In a correct implementation, the 3rd parties only receive proof-of-age, no identity. How will re-use and sharing be detected?
There are 3 parties:
The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.