European "age verification" "app" forcing everyone to use Android or iOS
European “age verification” “app” forcing everyone to use Android or iOS
欧洲“年龄验证”应用强制用户使用 Android 或 iOS
In the README, the following is listed: “App and device verification based on Google Play Integrity API and Apple App Attestation.” I would like to strongly urge to abandon this plan. Requiring a dependency on American tech giants for age verification further deepens the EU’s dependency on America and the USA’s control over the internet. Especially in the current political climate, I hope I do not have to explain how undesirable and dangerous that is. 在项目的 README 文档中列出了这样一条:“基于 Google Play Integrity API 和 Apple App Attestation 的应用及设备验证”。我强烈建议放弃这一计划。要求年龄验证依赖于美国科技巨头,会进一步加深欧盟对美国的依赖,以及美国对互联网的控制。特别是在当前的政治气候下,我希望我不需要解释这有多么不可取且危险。
Furthermore, I am surprised this is considered an important next step, given apps like the Dutch identity app Yivi (which has no such dependency) already exist and can be used for age verification by the government just fine (on the few select platforms that work with it). Yivi is even available on Open Source app stores like F-Droid. I think Yivi’s existence should be sufficient proof that Google Play Integrity integration is unnecessary. 此外,我很惊讶这被视为重要的下一步,因为像荷兰身份验证应用 Yivi(它没有这种依赖)已经存在,并且可以很好地被政府用于年龄验证(在少数支持它的平台上)。Yivi 甚至可以在 F-Droid 等开源应用商店中下载。我认为 Yivi 的存在足以证明集成 Google Play Integrity 是不必要的。
Worth a caveat before Yivi gets held up as the privacy-clean benchmark. Its NFC passport flow isn’t dependency-free either. From the issuer source, enrolling a passport sends the raw NFC data groups to a central issuer server. DG1 (full MRZ) and DG2 (facial image) are mandatory in parsePassportDGs, and the server parses out name, document number, nationality, DOB and gender. Face matching then runs through Regula’s third-party API. So the authenticity guarantee comes from sending your full MRZ and facial image to a central server plus a third-party biometric service. 在将 Yivi 奉为隐私保护标杆之前,有必要提醒一点:它的 NFC 护照流程也并非完全没有依赖。从发行方源代码来看,注册护照时会将原始 NFC 数据组发送到中央发行服务器。DG1(完整机读码)和 DG2(面部图像)在解析护照数据时是强制性的,服务器会解析出姓名、证件号码、国籍、出生日期和性别。随后,人脸匹配通过 Regula 的第三方 API 进行。因此,真实性保证来自于将你的完整机读码和面部图像发送到中央服务器以及第三方生物识别服务。
This seems to be a fork of the EUDI wallet. Please remove the requirement for Google Play Integrity; use the standard Android hardware attestation API to verify the device, OS, and app instead of enforcing licensing Google Mobile Services. 这似乎是 EUDI 钱包的一个分支。请移除对 Google Play Integrity 的要求;使用标准的 Android 硬件认证 API 来验证设备、操作系统和应用,而不是强制要求授权 Google 移动服务(GMS)。
In addition, tying age verification to specific operating systems and their vendors (large American tech companies) violates two of the three principles listed elsewhere in this org: “made available to anyone who wants to use it” and “controlled by users.” 此外,将年龄验证绑定到特定的操作系统及其供应商(美国大型科技公司)违反了该组织在其他地方列出的三项原则中的两项:“向任何想要使用它的人开放”以及“由用户控制”。
Furthermore, from the design principles: “Interoperability: The solution ensures seamless integration across diverse device operating systems, wallet applications, and online services.” Tying age verification to specific operating systems will directly violate this design principle. 此外,根据设计原则:“互操作性:该解决方案确保在各种设备操作系统、钱包应用和在线服务之间实现无缝集成。”将年龄验证绑定到特定的操作系统将直接违反这一设计原则。
Digital sovereignty is a necessary step to reduce the risks of data processing. There should be no dependency. 数字主权是降低数据处理风险的必要步骤。不应该存在任何依赖。