Furthermore I am surprised this is considered an important next step, given apps like the Dutch identity app Yivi (who has no such dependency) already exist and can be used for age verification by the government just fine (on the few select platforms that work with it). Yivi is even available on Open Source app stores like F-Droid.

I think Yivi's existence should be sufficient proof that Google Play Integrity integration is unnecessary.

Yivi (formerly IRMA) homepage: https://yivi.app/en/

This this seems to be a fork of the EUDI wallet, see also:

• Please remove the requirement for Google Play Integrity eudi-app-android-wallet-ui#287
• use the standard Android hardware attestation API to verify the device, OS and app instead enforcing licensing Google Mobile Services eudi-app-android-wallet-ui#390

In addition, tying age verification to specific operating systems and their vendors (large American tech companies) violates two of the three principles listed elsewhere in this org:

• made available to anyone who wants to use it
• controlled by users

Furthermore, from https://ageverification.dev/Technical%20Specification/architecture-and-technical-specifications/#24-design-principles -

• Interoperability: The solution ensures seamless integration across diverse device operating systems, wallet applications, and online services.

Tying age verification to specific operating systems will directly violate this design principle.

Digital sovereignty is a necessary step to reduce the risks of data processing. There should be no dependencies for external services from third parties at all since each one adds a whole ecosystem of potential security issues.

This is insane, what's the threat model? Someone remotely exploiting a device to steal proof of age of majority just to watch p__n (most common use case)? Is it even realistic? Why does this service need an app at all? Just create a modern web app, maybe even leveraging Digital Credentials API. I'm tired of app-for-everything.

This happens because those who draft the technical specifications don't know how the technologies they propose work.

As I've explained elsewhere, this is ridiculous. Here's a brief excerpt from one of my posts elsewhere:

It's incredible that the European Commission sanctions Google for abuse of dominant position and asks to open the operating system to other stores to allow "free" competition and you [the writer of technical specifications] impose the use of tools that exclude the free choice of the user and give to Google all the power of choice, that's really INCREDIBLE...

There are dozens of ways to secure these apps' certificates without using proprietary systems.
Not to mention that Play Integrity systems are 100% illegal.

There are dozens of ways to secure these apps' certificates without using proprietary systems.

Does it need to protect those certificates at all? Maybe I'm too naive, but couldn't this simply be implemented by verifying random challenge signed by a national identity provider?

1. User goes to p__n website
2. Website detects user is visiting from Europe
3. Website downloads them a file containing a random string
4. Website tells them to visit verifyage.gov.example
5. User logs via identity provider and uploads the file
6. Challenge is signed and downloaded through the browser
7. User goes back to the p__n website and uploads the file
8. Website verifies the challenge is signed by a trusted entity

Avoids having to protect the signed challenge at all since it's single use, scheme is similar to authenticating with SSH or WebAuthn. I haven't checked the architecture thorough, perhaps does something similar in the end with more bloat in between.

Please listen the ongoing issues with the Italian Wallet related to Play Integrity:

mega thread:
pagopa/io-app#6327

Duplicates:
pagopa/io-app#7014
pagopa/io-app#7199
pagopa/io-app#6942
pagopa/io-app#6820
pagopa/io-app#6763
pagopa/io-app#6507
pagopa/io-app#6524

Fuck Google

A mandatory Google account is unacceptable in a OSS Project

Getting access to a website as a EU citizen by accepting the TOS of EU-penalized American megacorp is peak 1984.

Besides the privacy issues, this feels like South Korea's IE6 problem back in the days, everything was so tied and dependent on it, that they couldn't get rid of it. But I guess we are just humans repeating mistakes, getting influenced by lobbyists, uninformed people, people who can't imagine how things will look like in 10 or more years

This would be massive hinderance to all South EU states, where adoption of non google phones is large.

This would be also massive dependency on google.

Furthermore, why on earth are you building digital ids but then not doing IDPs, then forcing users to use some extra app for agecheck... they and their OS maintains...

It is bad UX, it causes issues, not sure if adds any security.

I support this issue: it's totally NOT ok to use USA proprietary tech for national and european issues.

I support it too. It's hard enough to use a smartphone without Google sucking out all privacy from it, don't make these efforts useless by enforcing the use of their tech.

I support this issue: it's totally NOT ok to use USA proprietary tech for national and european issues.

Funny that people seems to be far more concerned with Google being part of the solution than the solution itself.

Looks like Europeans do want to show their papers in order to use internet, whatever, just don't put US companies in the middle.

Europeans have no sense of freedom or privacy. They just want to comply with DSA (Digital Services Act AKA Digital Surveillance Act) in the best way possible.

One can be concerned with both.

Looks like Europeans do want to show their papers in order to use internet, whatever, just don't put US companies in the middle.

Absolutely not, this project shouldn't exist in the first place. However instead of it just being a privacy intrusive and censorship accelerating nightmare, in its current state it also prevents people from using their own hardware. These are separate issues.

Forcing the use of Google approved operating systems means dependence on the US, and forcing all citizens to use American operating systems. As EU citizen, I think that this is not acceptable.

Just a few days ago when I first heard of the solid cryptography being implemented here, I was positively surprised. The infrastructure being provided has value, and not just for "are you 18+?" Questions.

But tying it to Google approved operating systems destroys the trust you build with good cryptography again.

I urge you to keep Google out of your critical EU software. American corporations cannot be trusted to adhere to any sort of ethical standards or even rule of law. Do not leave yourselves vulnerable to or dependent on them under any circumstances. If you give an inch they will take a mile.

I don't get the general negativity here. While I agree that Google integration for remote device attestation is wrong, the general idea behind this project is good.

False. The general idea behind the project is dangerous and ineffective at the claimed goals.

Keeping out bots and russian trolls from online discussions is in all Europeans interest I would think, and this organizations plan for a digital identity is nice.

How exactly is age restriction on porn sites going to keep bots, russian trolls, nazis, and so on away from

• Facebook
• Twitter
• TikTok
• Youtube
• Podcasts
• Everything else you and your grandma get your misinformation from

In short: it does nothing to solve the root cause of the issues.

It is also trivial to bypass, all the users have to do is google for "free VPN" and give up even more of their privacy and security, which is exactly what most of them will end up doing if something this idiotic is put in place.

I don't like age controls online, they are pointless footholds for authoritarian fantasies, but I do think that this project tries its best to solve this issue in a technically elegant way which conserves privacy as best as possible.

There is no elegance here, it's like forcefully pushing uses for blockchain in the vague hope that some day that "elegant" solution will be useful.

This project asserts as its basic premises that

• This must be done
• Age verification is important enough to strongly identify individuals
• Age verification is important enough to demand every EU citizen owns a smart phone

This issue only adds

• Age verification is important enough to demand every EU citizen owns a smart phone with an approved OS
• Age verification is important enough to demand every EU citizen accepts the ToS of an actively hostile foreign corporation

In actuality of course none of the above bullets are true.

To force either a dependency on Google or Apple would border on the bizarre. I have ten's of thousands of users on linux mobile systems who, with some difficulties indeed, attempt to maintain their liberty from these monopolists and their egregious abuse of our privacy laws. To submit to google cannot possibly be in accord with european law.

I will never allow anything Google related on my degoogled device, nor would I ever allow an age verification app like this on my phone. Stop pretending this is anything more than an attempt at mass-surveillance.

It tells a lot that you not just deleted a protest merge request without a trace (#13, archive here), but also got its author's account nuked from github!

AFAIK you can't even delete issues like that, you need to contact GitHub support to do it (for example if it contains PII).

$ curl -sSf -L -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' 'https://api.github.com/repos/eu-digital-identity-wallet/av-app-android-wallet-ui/issues' | jq -r '.[] | select(.number) | .number' | xargs
31 29 28 27 26 25 24 23 22 20 19 18 16 15 14 11 10 8 3 2
$ curl -sSf -L -H 'Accept: application/vnd.github+json' -H 'X-GitHub-Api-Version: 2022-11-28' 'https://api.github.com/repos/eu-digital-identity-wallet/av-app-android-wallet-ui/pulls?state=all' | jq -r '.[] | select(.number) | .number' | xargs
26 12 9 8 7 6 5 4 2 1

So they asked GitHub to delete issues and/or pull requests numbered 30 21 17 13, they could have just closed and locked them and addressed the situation.

So in a world where a law requiring you to verify your identity digitally before accessing websites passes, and this implementation is chosen, you are obligated to have a Google account in order to... exist on the internet? Have a Google (or whatever the alternative is for iOS) account or you are unable to access the internet? And let's not kid ourselves with the "this will only be for NSFW content". Virtually every website which has any form of a public forum will have NSFW content, no matter how good the moderation.

Am I missing something?

Edit: I just read above that you nuked a merge request without trace that protested the obvious problems with this repo. Shameful. I will repost the link so it doesn't get lost. If you read this and were going to post a reply, pass on the link to the archived merge request.

1984 George Orwellian's universe has warned us on Tought Police since published in 1949.
Over 75 years has passed and humans still don´t get it!

The specs say : App and device verification based on Google Play Integrity API and Apple App Attestation.
Are you so stupid ?
What would happen if, as an example, a yellow hair president decided to block the API access for non American citizens ?
DO NOT RELY EUROPEAN INFRASTRUCTURES ON US DRIVEN TECH.

I agree, abandoning Play Integrity integration will make life easier for people who uses Custom ROMs on their devices and make the app independent from Google and their shitty GMS