For a lot of time I've been trying to find e.g. a bank that would not basically require an Android or iOS device for me to shop online. Many of them even have "root detectors" which basically means these programs won't work in "rooted", "de-Googlefied" and/or free Android implementations.
After some complains the only thing I managed to get is for them to fallback to SMS 2FA which at this point I consider a blessing.
I've already said this numerous times here on HN, but it is a dark future we are getting into. The only thing that came remotely close to this level of "you require this proprietary software for daily life" level of danger was ActiveX.
You're not wrong, but it's real problem, both technically and socially, without much in the way of a good solution. Android and iOS provide significant security by virtue of the chain of trust running starting with Google or Apple down through their software and hardware (Google is a bit special here, I'll admit).
This makes it easy for businesses like banks to work with those ecosystems and provide a secure experience without inventing much themselves. What's the alternative? SMS 2FA is abysmal. Maybe they could provide you a configurable webhook, but now they don't control the experience, and that's part of their requirements. Not to mention I wouldn't trust a bank to implement webhooks correctly.
The problem is we're becoming sophisticated enough as a society that we are forced to rely on a few establishments to maintain that sophistication. Whether it's for chain of security, microprocessors, springs in our toasters, it's not possible to keep everything open and interchangeable while maintaining our current way of life.
I'd love that, but it's not realistic, as far as I can tell.
Before the "standardization" on SMS first and later on Google/Apple systems, there were a number of methods, since banks did try to do R&D to cut out on fraud:
* One-time-pads (yes, I had a bank that would give me a card with 50 codes you were supposed to use once, then go back to the branch for more. Didn't last long, though, and was replaced with:)
* Reusable codes: bank gives you a card with 50 codes. Bank randomly asks you for code number X. X may eventually repeat over time. (Bank also tells you your specific card serial number so that you can identify them).
My bank issues a fido device: a card scanner with a built in camera that reads qr codes. Excellent tool, but for a few years now the bank is actively discouraging its use, touting the benefits of apps instead. It costs them around 60 euro to issue the device, and, sadly, thats incentive enough to advocate less secure solutions. When they take it away from me, I am out of options as this is the last bank in my country that issues them to individuals :-/
Rabobank? Yes it’s nice but I always find it a pain haha. 60€ wow, when they were first send around they very easily gave me 2 extra to put at work etc.
What about N26, I don’t remember needing the app and I can log into a website. Not sure though…
I can't quantify the risks relative to SMS 2FA because there are such broad ranging implementations but given the broad adoption of gmail, how many people can really snoop unencrypted email traffic at backbone chokepoints ?
There are many cases where I would be perfectly happy with the risk profile of either SIM swap attacks or email interception.
The main problem with email 2FA is that if someone gains access to your email account, they can reset your passwords on many sites and services. They can then bypass both the password (by resetting it) and the 2FA (by simply reading your emails).
Even better, if you re-use passwords, they can use one password to access your email account and the service, and get the 2FA token via email.
Is there actually anything wrong with SMS 2FA, other than SIM swapping?
SIM swapping isn't a problem with SMS so much as the phone carriers, who really need to put stricter processes in place for verifying account transfers. IMO, they deserve most of the culpability.
In Scandinavia we have BankID which kind of uses SMS, but not quite. When I try to authenticate it sends a message to my phone and then I have to type in my 4-8 digit pin code on my phone. Apparently they have put a tiny application on the sim card, so sim swapping isn't an issue. Whenever I get a new sim card I have to authenticate the sim card using my hardware token and password.
Finland I got sometimes SMS in flow. For bank login it is account and password, then one time code. Then when making transaction getting SMS with which one time code to enter. And then when paying with confirmation same thing but just with SMS code.
I don't really see point of SMS in flow, but hey I can somewhat live with it.
Have only a small amount of money on you regular account for the everyday means, with all the money on another account whatever.
Lose your wallet with cards, lose your phone (or just a phone with Apple/GooglePay). Get a replacement SIM, be locked out of receiving any SMS for 24h[0]. Now be somewhere where is no local branches of your bank.[1] Or even better - be abroad.
Or just be in a taxi at 9PM when no one works and the bank locks you out - just like when it happened to me. Gladly I found an ATM where I could withdraw from a secondary account.
[0] Actual practice of cellular operators in my country. Safety
[1] Even better with the virtual banks without any.
I agree insofar as, this is exactly why I strongly believe that 2FA should always be optional. But, if the user has chosen to use 2FA (or has not opted out), what’s wrong with SMS?
Not quite because if you lose your YubiKey - you just lost your YubiKey, you still have the ability to call the bank (and my bank knows my number, so they greet me by the name) and at least do something, in the situation I've got in the previous comment I could lift the lock out with the code word, only if I could recall it then.
But the phone is not only your 2FA item, it is also your "virtual identity" now for too many services, banks included. And with the tendency of banks to shoehorn you to their phone apps this starts to get ridiculous, if you lose your phone you are now:
lost your banking app (2FA with push)
lost the ability to 2FA with SMS as a backup
lost the ability to install the app on the new phone (oh hi $username, it is really you despite you just gave your $username@gmail.com and password? We sent you an SMS to confirm it is really you, FOR YOUR SAFETY)
lost the ability to login to your bank account on someone's else phone (same shit with SMS to your phone number)
Bonus points: if you lost your ID or doesn't have it on you - you can't restore the SIM with your number. Or even buy a new one in many cases.
> But, if the user has chosen to use 2FA (or has not opted out), what’s wrong with SMS?
Pfft. I was forcefully shoehorned to mandatory SMS 2FA by my bank. I've opted out of this some years ago and it did work... till I was 600km from my home, I needed to buy the train tickets, I tried to logon to the bank webapp to move the required amount to the primary account only to discover what they enabled 2FA without asking. And the phone where my SIM (known by the bank)[0] was installed was literally on it's last 10% of charge in the airplane mode. It could literally shutdown just from the act of disabling the airplane mode so I could receive the SMS.
So if the problem is not with SMS 2FA. The problem is what nowadays "SMS 2FA", at least for the banking apps[1], is way, way more than just SMS alone.
[0] I'm not sure if they monitor IMEI of the device, but I wouldn't be surprised, considering they receive the notification of the changed IMSI.
[1] Not sure how these practices are widespread world wide.
They deserve culpability for letting someone else receive my private text messages. It doesn’t matter whether those messages contain one-time passcodes, intimate conversations, or critical business data—they were intended for me and no one else.
One thing that can and must be fixed instantly is to legislate that these businesses can not deny their services to anyone, just like systemic banks and the post office.
> The problem is we're becoming sophisticated enough as a society that we are forced to rely on a few establishments to maintain that sophistication.
Come on, we have open webbrowsers, which are 100x more difficult to implement than a chain of trust. Surely, somebody could come up with a reliable alternative.
Not really a technical challenge. You could force an equivalent of POSIX, maybe based on WASM, that smartphone makers would be forced to support if they want to sell in your region, and forced to support side loading those apps, as no government should be subject to the caprices of the various app stores. At this point smartphones have a fairly mature feature set to expose to the app. That would also help with the anti-competitive app store practices.
Every time any HN discussion veers toward alternative smartphone OSes, for instance, people come out of the woodwork to talk about how they just couldn't possibly access their bank without an Android or iOS device... what are you all doing with your bank so often? I log in a couple times a month, from my PC, to check balances and pay my car loan. I've certainly never needed a damn app.
Yeah. My TSB bank recently implemented this:
- enter credit card details on the website
- got to the mobile app, enter second password
- receive an SMS to my phone number with 2fa code
- login into the app, approve the payment
- enter first account password
- go back to the website and click continue
That’a all together with iOS FaceID enabler. Monzo is actually way simpler.
I've started using MobilePay — the Danish send-money-to-anyone-with-a-phone-number system — rather than a debit/credit card wherever it's offered.
I've usually provided my phone number already, as part of the delivery address, so it's a click to choose MobilePay, another to confirm the number, then I fingerprint-unlock the MobilePay app and swipe to confirm the payment request that appears.
It's not really "send-money-to-anyone-with-a-phone-number", it's "send-money-to-anyone-with-the-mobilepay-app-installed" - and it only works on iPhones and unrooted Android phones with Google services enabled.
As someone who doesn't have it, it's very rapidly become the thing that makes me feel the most like a second-class citizen.
It would be nice if they'd also implement it using online banking.
The British version (PayM) isn't used much, but at least you can add a phone number to your own account within normal internet banking, and send money to a number linked to an account without using either side using an app.
Not in the EU. I pay for a lot of nonrecurring things via money transfer and I need a TAN for every online transaction. Before mobile apps they would occasionally mail me a list of like 50 of them [1] but that's not a thing anymore. Every online credit card transaction has to be confirmed in the banking app as well.
I don't have a credit card but sometimes I can't even buy a game on Steam without using a damn app. Trying to shop online has turned from nightmarish to impossible without these apps in just a couple of years.
I tried using the site of my bank but I could never make it work. There's no fighting it and it sucks.
My bank doesn't seem to do root detection. I haven't tried it on a phone without at least microgapps but I'm pretty sure that it just works. Even on LineageOS with root I never really had any problems.
I do recall seeing a popup at one point ("hey we see you've done some weird shit to your phone, call us if you don't knowewhat rooting means" or something like that) but that's really just about it.
I should try running it in Anbox, come to think of it. Would be a fun experience.
If you're a developer in the EU and you think you can do better, the PSD2 system is set up to allow for fintech solutions like these. You'll need to get the necessary documentation in order, or even a license, to get access to actual banking APIs (thank goodness) but from that point on you should be able to write your own app. You'll have to be very careful, though, you don't want to anger the financial regulators.
Also, I tried running the app in Anbox but there's no x86 build of the APK and Google's ARM Android emulator is just broken these days, the VM doesn't even boot.
In case you are still looking for a card that will work without an app, American Express sends you emails and SMSs with validation codes for online purchases.
> In the mean time there was also a desktop application available to read out the NFC chip of an identity card. This app is only available through the Windows 10 app store. With all my computers running Debian or Ubuntu, that was no option for me.
I fear this isn't a temporary oversight but a sign of the long-term trends towards governments only supporting the major platforms. Those platforms will then complete the quid pro quo by "voluntarily" banning apps that the government doesn't approve of, like bittorrent, Tor, E2EE messengers, VPNs, etc.
This is miles from a temporary oversight. In the Netherlands unchecked citizen surveillance is the norm, and that has nothing to do with being a democracy. The same way the US "still" is a democracy but unchecked surveillance is pervasive.
"Dutch civil servants used social media to spy on citizens, says study"
"With a population of 17 million, the Netherlands is already the most heavily phone-tapped country in the world – with about 26,000 taps granted to the police and other agencies, excluding the security services, every year, according to figures from the Department of Justice."
The author of the article just made himself part of this list...
> "With a population of 17 million, the Netherlands is already the most heavily phone-tapped country in the world – with about 26,000 taps granted to the police and other agencies, excluding the security services, every year, according to figures from the Department of Justice."
Not surprising, given that the Netherlands is the major port of entry for drugs into Europe - alone the port of Rotterdam had cocaine seizures worth 5 billion euros in 2021 [1], and Europol estimates 1500 distinct criminal organizations in the cocaine trade.
Out of paranoia, I do all my piracy on a completely different machine than all my banking, taxes, official stuff anyways. Which is also a separate machine than the one I use for work.. How many devices does one person need?
Probably too late, honestly, but still worth trying.
Honestly, FirefoxOS received a lot of flak for not "focusing on their browser", but if it had succeeded it would have been a huge win for digital freedom and privacy.
That's a good point, at least for the immediate problems, but I suspect that in the longer term, governments will make their apps check for genuine Windows/macOS installs using remote attestation, like some online games are already doing.
Roll over and play dead often enough, and eventually the world around you will just assume you don't care and stop bothering to even inform you of the upcoming tricks they'll be requiring you to perform.
If its only available to get through the Windows App Store, is that even possible to do? I haven't actually used Wine in a very long time, so I don't actually know how that would interact with the App Store.
Then there is the question about interacting with the hardware for reading the card as well.
You don't need to use UWP/WPF/whatever it's called these days to get the application into the MS Store. Good ol' Win32 programs can be packaged and distributed through there as well.
Microsoft wants you to use their new APIs but they realised they couldn't force developers to do that. With their efforts for a mobile phone operating system dead in the water they've been more accepting of normal applications for a while now.
From another perspective, the latter proves the former. Google and Apple are so dominant in the market that consumers have no choice but to use their services. As such, the services require public oversight.
Yes, the dutch government is itself perpetuating the situation, but they're only doing what private industry has for years.
But that's a complete lie. There is the web, which has worked more than well enough for all government-personal contact purposes way before Android and iOS even existed. It's only now that they stopped caring about web and do the latest whim instead.
And I just can't understand this logic?
1) Someone makes a platform, it's big and successful
2) State wants to overlord it, so they make apps only for said platform
3) State says platform is so dominant apps are only on said platform and there's no choice - must be regulated
You have to remember that a government is not a single hive mind. 2 and 3 are probably being pushed by completely different groups of people with differing goals.
That's one of the big problems of states. Every power you give a state government, there's someone (not one - thousands, if not more) waiting to do bad things with it. And while they're busy with it, the other part will keep claiming how you're a bad person because you don't want to help poor people.
1) Someone makes a platform, it's big and successful.
2) Private companies (banks, taxi services, streaming providers, education platforms) decide to only make apps for said platform, because the potential market of customers using anything else is too small to justify any business investment.
3) State says platform is so dominant apps are only on said platform and there's no choice - must be regulated.
4) State follows the same practices as private companies when making its own apps, for the same reasons as the private companies.
That doesn't change anything about it being bullshit. Web is still there and better than ever, and works on every platform too (as it always did). For their purposes, it's feasible to render only the most basic HTML/CSS and process everything server-side; thus the choice to make only incompatible platform-specific apps is theirs and theirs only. The private sector - banks, taxis, etc - have absolutely nothing to do with it, and they're still doing webs today (more than ever, actually)!
U2F has been around for a long time and has worked great for me for email (and is more of a real second factor than TOTP: you just plug it in and push the button and it does its crypto thing). There are similar newer standards like FIDO2. I think some of those standards work with smartphones too (haven't checked recently)?
Because it's too easy to convince carriers to port someone else's phone number to a new SIM. I wish the carriers would address that, but that too would likely require some sort of government intervention.
Alas, if only the government could provide government intervention? Since they can't, we're left only with the option of government intervention to mandate use of android or iOS?
In fact, intervention wouldn't have to be to change SMS. They could instead mandate a standard like U2F or FIDO2. If they really don't like those for some reason, EU states could get together and make a new standard and mandate that.
I agree with this take! I was trying to defend the Digital Markets Act, and was responding to someone who (as far as I could tell) appeared to be fundamentally against any or at least most government regulation.
Yeah, especially if it's not absolutely necessary (e.g. the goal would be otherwise impossible).
I'd be okay if they regulated telco carriers a little bit more than they already do; much more okay than with anything resembling what they're trying to do now.
> but they're only doing what private industry has for years.
Thoughts similar to this one are often deployed here - like this:
commenter A: This makes <problem related to surveillance> worse
commenter B: It's only incrementally worse, so it's OK. Besides <other parts of problem> mean there's no practical difference currently (at least if you've already basically admitted defeat about <problem> as I have), so what possible rational basis could there possibly be for not going ahead?
But many steps that make a problem incrementally worse can lead you to a bad place. Many steps that make things incrementally better would lead us to a better place. And with a tangled problem like this is by now, I think you do sometimes have to accept that not every step may always make a practical difference for many people, if you want to move towards a solution rather than forever away from it.
In this case I'm surprised to see you use the word "only" - government starting to mandate something is a significant step over even a duopoly doing so, because the cost of trying to ignore a government mandate can be much higher even than ignoring the smartphone duopoly - right? I can and do avoid the smartphone duopoly currently, but good luck to me if the government mandates it, eh?
Also given government power, in some ways it's a lot easier to make progress on knotty problems like this one than it is for a company, because government has a lot of power - so in that sense they have less excuse than private industry for moving us backwards here. Of course the public, though I think they see the problem to some extent, don't really believe in solutions yet. It's up to us to give them confidence that better solutions exist.
Dutch digital identity verification system DigiD has announced the phasing out SMS as second factor. That way they require citizens to install a smartphone app in order to use digital services from the government, municipalities, the health sector and others. These applications only work on iOS and Android phones, with reliance on third party services.
Plenty of members of our community choose not to use a device that is tied to vendor-specific services.
What does phasing out of SMS have to do with this? SMS is using a device (SIM or eSIM) that is tied to (wildly insecure) vendor-specific services.
Further, a decent alternative, TOTP, is not iOS or Android specific. Nor are Yubikeys.
It's unbelievable to me how many people's accounts are tied to, and have been reassigned to bad actors by, their telco, and yet banks still think this is a lovely idea.
Pretty convinced the survival of SMS as 2FA is, as made clear by FB among others, excused "because we take your security seriously" but actually implemented for tying you to your data master record.
TOTP is easily phished and the Digid app is using a sort of challenge/response system that shows you the government service that you're authenticating to. It can still be phished, but nobody is applying for government grants by faking a tax service login page if you're not ignoring the screen in front of you.
I don't know a second factor standard that provides the same level of validation. FIDO2 is probably more secure but it doesn't support the current security mechanisms already in place right now. I'd like the standard to be extended in some way, like Yubikey-like devices with screens to verify what you're doing with the necessary key attestation for government services, but we can only wait and see.
I'm not sure if these apps require Google Play services or not, but if they don't, I have no problem with them from a privacy perspective. You can run them in Anbox if you want and they're some of the lowest permission apps I have on my phone.
The real victims of this move aren't the privacy enthusiasts who run Qubes on their coreboot-enabled Thinkpads, they'll find a way. I'm worried about the elderly and other less technically minded who have no idea how any of these apps work. The government doesn't provide them any courses on how to use their services and neither do the banks. The layout and flow of the official apps keep changing and it's impossible for some to keep up. People say "well you should just Google it then" but that's even worse, because that's the easiest way to get scammed out of your money. Someone will definitely have paid top dollar for an ad that matches keywords like "how to log into bank" leading to a step-by-step guide on how to transfer all your money to a money mule.
> FIDO2 is probably more secure but it doesn't support the current security mechanisms already in place right now.
What do you mean by this? What security mechanisms, and why does FIDO2 need to support them?
There's also U2F of course, but in the absence of more pressure I guess that everybody who was using that will use FIDO2 or nothing (seems like a regression from my point of view - I don't have any need for passwordless login).
> The real victims of this move aren't the privacy enthusiasts who run Qubes on their coreboot-enabled Thinkpads, they'll find a way. I'm worried about the elderly and other less technically minded who have no idea how any of these apps work.
The real victims aren't any individual but society - the real problem is destabilisation through centralisation of power.
Yep, my bank forces me to use an Android/iOS only app. As far as I'm aware, there's not a single bank in my country that supports open 2FA standards, like FIDO2.
Infuriating, and it's only going to get worse. And then the EU complains about Google/Apple's monopoly power - I wonder why...
There's a single one in my country (Boursorama). Even more infuriating, banks are now forcing clients to use their apps to add beneficiaries without an artificial delay or to make an instant SEPA transfer.
The layer below does not have to protect against replay attacks. In fact solely relying on such a protection would be a security issue itself. The user could just generate the TAN here and sign the transaction.
1 transaction every ($interval * 1.5) seconds ought to be enough for most non-commercial banking users? Even if you could tie the token to a non-separable 'bundle' of transactions for larger transactions (Payroll for all staff?)
Banking IT seems to have their heads in the clouds of regulations, and risk aversion to even proven modern secure solutions.
Well, the PSD2 opens the banking to third parties (basically OAuth, just for banks).
So an approved payment initiation services (PIS) can do transactions on your behalf. But you still want to have control over which transfers they actually send, so you want to make sure the confirmation code only works for a certain transaction.
I believe this would have to be implemented by the payment initiation service provider - as far as the bank is concerned, once you authorize the PIS provider the have full access and can initiate any transfers they want.
Compromising bank servers is less harmful than compromising individual customers, because it's the bank (or perhaps the insurance) that's bearing the consequences, not its customers.
My bank has desktop apps but not for Linux. The only other alternative to a smartphone is a hardware TAN generator and they won't give me one because I "don't need it".
At the same time they only allow a 5-digit pin as password for everyone, and as the phone is the second factor it doesn't have 2FA itself. The 5-digit pin is enough to access everything, you don't even need a username because the app is tied to the account.
It's obvious they just threw something together to comply with regulations.
> It's obvious they just threw something together to comply with regulations.
Far worse, there is no regulation to force any of this it's just competition. Mostly by smaller "banks" with even worse track records concerning security.
There is regulation, that's why we have mandatory 2FA for bank accounts. I think (but am not sure) that SMS phase-out is also part of that regulation, but that might also just be banks being happy to force their software onto more devices to do who knows what.
I contacted my UK bank about this and they switched me to using an email confirmation where they send the OTP code to instead of via SMS. For my digital account, they previously sent me a card reader which the login process still accepts.
Your suit would be against eg your bank for failing to provide you obtainable access, but you are likely to find it not a winnable case if you've signed any sticker contracts.
Yes, at this point I guess you'd have to just visit your bank branch to conduct transactions, or perhaps phone banking.
I remember once when my bank didn't trust me enough to even have a debit/ATM card and forced me to go into the branch and queue up and show ID just to get my own money out of my account.
I don't think it's unreasonable to require NFC reading, given the security advantages. The real issue is that Apple forbid side-loading and their Android app uses Google Play Services.
They should remove the dependency on Google Play Services, and probably publish the API details for any enterprising Linux nerds that want to make an app. If they did those two things I don't see any grounds for complaint.
Are there any potential legal issues with requiring citizens to sign a contract (the Google or Apple Terms of Service) in order to access government services?
It's not strictly "required"; you can just do things the old way; I don't even have DigiD, although quite a few services just assume you have it and will send you "post" over it, which I then can't read. It took me about a week of communicating and 15 emails with my health insurance to get them to send me post.
That is really counter to the recently proposed Digital Markets Act. I wouldn't want this and I don't have a verified account for either vendor. I have a Google account with a fake name and that is it. I don't want a digital ID either, the anonymous web is the best web. If there is a purpose like a transaction, be my guest, but otherwise I prefer to keep it shallow. EU countries are known for surveillance of citizens and they need strong limits as to what they are allowed to do. There are still significant problems with home searches too with the exception of cases like human trafficking apparently.
France also has a new initiative to replace the old SSO for all gov services (FranceConnect) with a new system called France Identité, that also seems dependent on smartphone apps, so Google/Apple:
The old system worked fine and will still be necessary for the people who can't enroll in the new one, like resident foreigners who won't get a French biometric ID card.
One has to dig a bit, but as the proposed workflows use a smartphone app, it looks to be dependent on the Android/iOS platforms.
That website explicitly says that it will not replace FranceConnect and other identification options and will never be mandatory or the only way to identify, though. Maybe you think they're lying on the website and have ulterior motives, but they explain it as just an additional identification option for FranceConnect. I'm welcoming it because I find it absurd to use my social security login to identify for asking for a birth certificate, and chip ID cards are the obvious thing to use for identification with public services.
It looks a bit like what we also have in Belgium, but with more (or different) options and with an app that is not privately owned at least.
Note that the original gov proposal was shot down by the French CNIL (translates to ~ national comission for computing & freedom). The new one seems to be basically a QR code only, so it basically can "run" on anything capable of showing a pixmap, albeit I am yet to understand what exactly it is.
Google just forced me to identify myself through credit card because it threatened to delete one of my kids’ gmail accounts. Somehow they detected that my kids weren’t over 18 and said if I didn’t register them under my account it would be deleted.
The fact they can figure out my kids’ ages based on their online behavior, and through their tracking and monitoring is fucking chilling. They don’t even use Gmail often at all.
Based on Google’s documentation on supervised accounts [1], sounds like your child is/was under 13?
They don’t have these checks in place for the fun of it. They’re usually legally mandated, otherwise some parent will sue them because “Google exposed my child to X Y or Z”
The issue isn’t with the registration, which is another issue altogether. It’s with them tracking the behavior somehow and then deducing their age to such confidence that they threatened to delete their account in 14 days. It wasn’t a guess.
And yet they are so fallible in their other forms of detection like fraud that lock people out of their accounts. The entire thing is creepy and maddening at the same time.
We don't. This is the exact opposite of that, children are breaking the law and possibly exposing themselves to things that will be harmful to them when they access the web without adult supervision, google is attempting to force parents to take some responsibility for their children.
And what is that harm that Google allegedly protects the kids from? Because the harm it causes to them - losing access to service - has been explained above.
This is such a problematic mechanism. What if your bank requires you to KYC with a passport in order to get a credit card, and Google requires a credit card like you mention? If your passport is expired you might find yourself in a catch-22 between Google, your bank and the government.
Your assumption would be wrong. They were never asked their age and even if they were they would know to ask me what to do because I told them that they would get locked out if they put in the wrong numbers. And as expected they can no longer post to YouTube for some reason even though there are plenty of YouTubers below 13.
Ads and spam is what's ruining everyone's experience. If we would pay for services rendered then there is no need for tracking. If we could effectively prosecute and/or block spammers then there would be no need for anti-spam algorithms (from email to services like twitter and discord, iirc yesterday there was a thread about automatic bans based on secret algos with no recourse).
Government regulation is an attempt to make people aware this tracking exists: every time you see a wall, that means the site requires a level of tracking for which there exists no legal basis other than consent, thus it has to ask you if you're okay with that (like any ethical site should do anyhow).
Automated decision making is also part of GDPR but unfortunately is very very weakly implemented. Basically, companies just have to tell you it exists (if and only if it has a significant impact on your life), and then your only recourse is to request a human in the loop, and they will just press the same button as the AI did and you have no idea if they even looked at your case because the decision making doesn't have to be transparent. And that's only for important life things, none of this even applies to being banned from google account unless you sue them and get the judge to agree this has a major impact on your life.
There is the big blind spot for governments. Tried to get attention to this too with the covid QR system: they say it is safe for privacy, but it demands you to use an app for that on a smartphone (the paper alternative is not privacy friendly).
It is denied and ignored and continues to be a focus point for the EU.
To have a valid train ticket on your phone (for those without printer), you are also required to accept the google or apple terms of service and privacy policy. You can download a pdf ticket, but the data matrix on there is only valid if you print it out!
Last year a big hosting company in the Netherlands introduced a requirement for existing customers to accept the Google TOS/PP before being allowed to log in. Support of course did not see the issue, like literally could not find it. I had to send them screenshots with markings before they saw that the google captcha they had introduced includes some small gray links.
This might not even be such a big deal if the privacy policy explained the data sharing that will actually happen. Rather, there is one fairly short document that applies to literally everything from hosted email to captchas to hardware in your home. Thus it has to say that they will use all gathered data for basically any purpose. Something tells me this cannot possibly be legal (iirc GDPR requires specific and understandable language), but that's the state of affairs.
(Another interesting example was me asking in a chat with ~100 people whether anyone had read the TOS update yet from our broker—the place where you keep your pension money and stuff. The only reaction I got was "anyone reads that? xD".)
Kinda bothers me that everyone is just going along with any terms for convenience. It's ripe for abuse and doesn't have to be this way.
The TOS thing has surely reached the point where it's simply not reasonable to expect people to read them. Put another way - how many people read every single terms of services / privacy policy / end user licence agreement they see in full? I would be shocked if it's more than one in a million. Depending on the services you use (and how frequently they update them) this could require dozens of hours of reading every single week (and many more hours of analysis to fully understand them if that's even possible without training).
Legislation asking (indirectly) that companies shove even more of these "Click here to read our cookie policy" type messages into everyone faces has only made the problem worse.
> Legislation asking (indirectly) that companies shove even more of these "Click here to read our cookie policy" type messages into everyone faces has only made the problem worse.
Disagree here. It's not gotten worse, it's gotten more visible. It's only ethical to ask people before tracking them, so any site should have done this already. This legislation forces businesses to act more honestly towards users in this regard.
Businesses impacted then take this and frame it in a manner of "we're very sorry that your government forces us to annoy you with this, but if you'd just sign here we'll be right out of your way..." and the vast majority of techies swallow it because it is, indeed, annoying to have to sign away privacy again and again.
It doesn't have to be this way. See the omission of a cookie wall on various sites that don't do anything that requires special consent.
It's fine to present a pdf, as long as it's legible and the code can be scanned.
> Het E-ticket dat wordt geladen op een mobiele telefoon, tablet of laptop is alleen geldig als vervoerbewijs als het duidelijk leesbaar weergegeven kan worden op de mobiele telefoon, tablet of laptop.
Literally on the PDF ticket it says it is only valid when printed out in full or when loaded in the app that can only be gotten legally through google or apple.
> To have a valid train ticket on your phone (for those without printer), you are also required to accept the google or apple terms of service and privacy policy. You can download a pdf ticket, but the data matrix on there is only valid if you print it out!
It seems that requirements to "consent" to TOS for things like major transport systems (government or not) or government health services (NHS services in the UK for example) just aren't consent in anything but some technical legal sense.
> Kinda bothers me that everyone is just going along with any terms for convenience. It's ripe for abuse and doesn't have to be this way.
I think it's not so much convenience as a change in the laws of the game? With TOS presented human-to-human, people in the past would have been more likely to react in a human way to the person offering them the TOS, businesses and governments would be constrained. Even if they got TOS in the post, there was a human in the loop to complain to and argue with. With TOS online, it's a fait accompli, which changes the costs to both parties.
>To have a valid train ticket on your phone (for those without printer), you are also required to accept the google or apple terms of service and privacy policy. You can download a pdf ticket, but the data matrix on there is only valid if you print it out!
How does this even work? QR codes don't magically change when they're printed.
They are just not accepted by the conductor. But those policies can also change in the (IMO) "right" direction, e.g. the German Deutsche Bahn changed their policies a few years ago and now digital tickets are accepted[1] in PDF form on digital devices, while they previously were not.
In Latvia, we have multiplatform app that can read e-signature from your ID card. Not ideal, but still what author would approve, I think. I'd prefer 2-FA using code generator.
The problem with these also end up being like. Does that app share info with third parties? Who made the security chip in the IDs. How fast are the IDs replaced when vulnerablities are found?
I don't really get putting cryptographic IDs into citizen identification. There's not much it provides other than, "well someone had this ID and knew some pin when this ID was used".
The unfortunate side effect of this is, less technical people might see a digital signature as a full and complete proof. While it definitely is not.
> The unfortunate side effect of this is, less technical people might see a digital signature as a full and complete proof. While it definitely is not.
It's far better than the status quo where easily forged documents (passports, driving licences, utility bills) that have a validity period of 5-10 years are considered infallible proof of everything.
In addition, it being cryptographic could mean that you no longer have to share any more data than necessary.
Let's say that you want to implement age verification - all you need is for the card to sign a challenge saying that the user is old enough (which the backend can verify based on public keys published by the government) without having the card reveal anything else.
The Irish government attempted to introduce an ID scheme through a back door and got their knuckles rapped by the Data Protection Commissioner here due to a number of reasons (lack of information regarding what citizens were signing up for and how their data would be shared; lack of legislation to support such a card/database; lack of rationale for more or less indefinite retention of your most personal information).
One outcome of the legal cases and appeals is that any government organisation using the card / database for identity verification (lots tried to make it the only form), must make an alternative approach available that is as convenient. The reality is that the alternatives usually require you to present in person and staffing levels have been lowered during COVID / because many people have switched to the digital system.
So there is a trend across Europe to implement this. I personally feel, that in many cases the investment in digital solutions is worthwhile (it's painful watching government employees type in information that the organisation already has access to - wastes time for everyone). BUT... It has to be done in an open, transparent and legal manner.
Highlighting the issue at an EU level, may result in frameworks that deliver the best solution for all EU citizens.
To sum it up: googleapis, gstatic, googleusercontent, adobedtm!, dowjoneson?, blogpost!, crashlytics, webtrends, webtrendslive
Plus, the system is based on providers, so you have to go through many burocratic steps to get recognized and then you pay-per-user/year that can go up to 7 Euro/user
My first thought was "yeah but what is the solution some sort of home grown mess the gov is supposed to develop..." But the German approach seems pretty neat.
All EEA identity cards already have to comply with IEC14443 standard. This standard also has open implementations for card readers.
How is a phone app in a walled garden a better option for official authentication than the identity card you already use to identify yourself in all other official acts?
When (and if) the government finally opens up the eHerkening (commercial part available for companies, not for personal use) to all people you can chose your own identity provider. This has been going on for years now and unfortunately it's not looking to go anywhere since new EU legislation is forcing it to the background for personal use.
Iff this would have been opened up a third party provider could make something available on any platform (with requirements of course). Won't solve the problem but at lease someone would be able to instead of no-one.
After attending many fsfe events I am a bit annoyed as they do all these statements but nothing fruitful comes out. Telling common man/woman these is not helpful. Many of fsfe people themselves use G-Pay etc.
Only semi-related but I have become increasingly frustrated with spam from all domains to the point I am now in favor of users being mapped to their social security number when they go online, period. When I get calls, such as the five this morning, that say I am suspected of committing a crime (or a family member has, or I owe money I didn’t know about etc) I should be able to report this and the individual be fined or arrested.
We’ve lost the battle for privacy, were never likely going to win it from the get go imo, so let’s at least use it to our advantage
I’m not talking about a social security number you input, I’m talking about a universal authentication system tied to individual SSNs among other things. Anyway theft of identities are far less common than scam calls, so your point isn’t even valid to boot.
There are small limits to the amounts and total you can spend by swiping this way, and then you have to authenticate by another method to reset the swipe block, so the possible financial damage is limited.
It's disingenuous to say citizens are being forced through google/apple for identity, when all govt services are now partially online, and we need a way to do identity, and federation with identities people already use and leveraging their authentication - and then adding proofing on top of that, is the most privacy protecting way to approach it.
Have been an architect on citizen identity schemes, and the conversation in govt that happens is mainly about whether to design and impose a new card based system (or similar) that has every forseeable feature they might need for the next 15-20 years it will take to get them out of circulation, and then write a gateway for it that applications have to integrate with - or federate to peoples' existing IDP's like banks, social platforms, and mobile devices using open protocols for authentication (SAML, OIDC), and then kick the can down the road on identify proofing for those credentials.
There are obviously tons of other factors and moving parts, but resolving this conversation within institutional governance frameworks is pernicious. A great example is that the legislative mandates of different government agencies may prevent them from sharing information about a citizen between them - because from a privacy perspective, there is no reason one agency should be able to use others to collect intelligence about you, because their only job is to provide you a service, and that is strictly prescribed.
The way we did it for federal services was a SAML federation between online banking and the federal government login, using a proxied MBUN (meaningless, but unique number), which has been in operation for over a decade and has been an acceptable privacy solution for all involved.
We don't have universal domestic identity cards in Canada because, like Germany, and other countries post WWII, we have a memory of how internal passport systems get used. The internal vaccine passport scheme for covid is wildly out of line with privacy legislation and outside the remit of government to institute in many ways, and was pushed through using emergency powers, and you can see how it has lost some momentum, but be assured, it will be back, this isn't their first rodeo trying to get national identity cards imposed, and these people never seem to give up.
We have a public health care system with cards for every eligible citizen, but the legislation for the cards explicitly defined the ID cards as not legal to use as any other form of identification (which again, may have changed during the pandemic), because using healthcare to impose a national identity system has historically (80s, 90s and into 00s) been seen as totalitarian, literally, the gesunteitpass/ahnenpass of a former age. Canada was where people escaped to from those regimes in the 20th century, and memory of them is still part of the national culture.
Also, where do you think identity comes from? Your name is from your family, birth certificate is issued through a hospital, your baptismal certificate by a church, your childhood vaccination cert by a municipal public health unit, drivers license by a DMV, your tax id and passport through a federal govt service, etc.
Your "identity," is not a document or a real thing, but rather, attributes associated with relationships, and even if we use biometrics and tag a guid to that and put it on some stupid immutable blockchain, it is still an artifact of relationships that are not the same for everyone. Anyway, there are maybe 1000 people in the world with similiar knowledge on this topic as mine, so please, AMA.
> We don't have universal domestic identity cards in Canada because, like Germany, and other countries post WWII, we have a memory of how internal passport systems get used.
Germany does have national identity cards though.
The whole "no ID card" is a very peculiar Anglo-Saxon thing: US, UK, Ireland, apparently also Canada. Of course, you have passports and driving licenses, so effectively almost everyone does have ID, just less conveniently.
They were very controversial before reunification and the integration of the eurozone. There are also de-facto cards, and de-jure cards, and they are different. It's not about having some ID, it's there being a multi-use, single ID that is controversial. Sure, we can have tons of different ones, but a linked identity that gets used across multiple services is not common.
The difference is whether the ID is for a specific service and purpose, or a single identity with a general ID regime to be used at the discretion of police and other institutions. It's a significant legal difference.
What you refer to as a peculiar anglo-saxon no-id-card thing is also what we typically call freedom. The nordic countries have had ID cards forever as well, but also public salaries and other socialist policies that worked for them very well, so aversion to them is not necessarily a "white"/west thing. Freedom is not a value unique to any one culture. What's happening today is technology changes are being used as a pretext for pushing in more radical state controls just using the tech, but without legislative discussion about whether it's desirable.
Devil's advocate here; Do I want my tax money to be used to create an app for an extremely niche group of people? (i.e. people who have a smartphone but not regular Android/iOS). How many people are we talking about, a few thousand on a population of 17 million?
We're not talking about unavailability of government services, there's still a process available, the analog one.
I've already said this numerous times here on HN, but it is a dark future we are getting into. The only thing that came remotely close to this level of "you require this proprietary software for daily life" level of danger was ActiveX.