It's actually worse. I just signed up with a dummy email and the page says they need your email to create an account so, they can store the icon kits you've created. That kinda makes sense. But at no point do they ask you whether you want to subscribe to any form of newsletter. AFAICT not even the privacy policy mentions anything about that. You're just subscribed automatically. So by definition anything not crucial for creating the account is literal spam. I'm not even sure that's legal under GDPR.
But the thing that might actually be killing their reputation is that their mails seemingly come from different emails all looking like bounces+18741050-ecba-jopudmulwqqsumjwub=nespj.com@email.fontawesome.com. But even worse than that, the "confirm your email" email and the following "finish account setup" email came from two different sub-domains. Maybe this is just a new attempt to get around Google's spam filter, but it seems like the worst thing you could possibly do when sending emails.
> But even worse than that, the "confirm your email" email and the following "finish account setup" email came from two different sub-domains. Maybe this is just a new attempt to get around Google's spam filter, but it seems like the worst thing you could possibly do when sending emails.
Standard advice is to use one subdomain for "transaction" email (verification, invoices) and another for marketing
That is standard practice because you will need to cycle that marketing domain until the end of time as its email reputation sinks into the abyss. Because people don’t want spam.
As strange as it is, but Austria is quite far ahead in terms of eIDAS since we've had Handysignatur for more than a decade. I wouldn't be surprised, if the Germans are planning to support hardware tokens, but haven't had the time yet.
Yeah, quite ahead in terms of making anonymous phone numbers illegal and requiring the government to know your phone number.
And if you don't want to use a smartphone, ID Austria does not work with regular FIDO security keys, you need special ones. Same for the old SmartCard system which didn't work without government-mandated malware.
I agree, you should be able to run anything you want, root your device, etc., but you also have to accept the consequences of that. If an app can no longer verify its own integrity, certain features are simply impossible to implement securely.
Think of it this way: A physical ID (which is what we're trying to replace here) also has limitations, it looks a certain way, has a certain size, etc. Just because somebody wants a smaller ID or one with a larger font or a passport in a different colour or whatever, doesn't mean that this should be allowed or possible. Some limitations exist for a good reason
Users have the right to modify any app running on their own device. Software security should never depend on the user having no control over their own device. Smartphones are essentially just regular computers, and on them you can use a debugger and do whatever you want. Viewing smartphones as closed systems like game consoles where you need the manufacturer’s permission for everything only leads us into the dystopia that Richard Stallman described as early as 1997 in his short story "The Right to Read"
To become dystopia people must be forced to use locked down smartphones. In reality you buy the one that suits your needs and do not enforce your design decisions on the smartphones other people use.
Where is that free choice that you see "in reality"? This post is about the opposite of that getting put in place. The actual reality is that almost every service provider is converging on supporting a few extremely restrictive options. From every private service you can think of, to key government services. They all are saying "to interact with us, you must use one of these two types of devices, with all the attestation and security measures intact". It's impossible for people to make their own design decisions or choose for themselves, because other options do not have the corporate/government blessing.
It's ridiculous that you look at all of us being forced into a government-protected duopoly, and then say "Don't you dare force your decisions on us!" to anyone suggesting that this should not be the default. Rules for us, but not them.
> They all are saying "to interact with us, you must use one of these two types of devices, with all the attestation and security measures intact"
Are you claiming that this is the only way of interacting with particular government services, with the other ways that existed before the app no longer being available? To make situation „dystopian“ this must be the case.
First it's new and optional, then it's mature but equal, then as adoption grows further, the old way of doing things gets deprioritized and neglected, then you're a 2nd tier citizen until they finally remove it altogether.
See: Essential businesses like grocery stores going cashless
Businesses are not government services and free to do whatever allowed by the law. For a country to be dystopian the government in your example must prohibit businesses to take cash.
Once SafetyNet was brought to Android a decade ago the tendency has been clear - these freedoms are going to be restricted heavily.
Because how do you make sure it's the user who does those modifications, willingly and well-informed? That it's not a malicious actor, not an user getting socially engineered or phished? Incredibly difficult compared to the current alternative.
If it's not a software root of trust that provides an attestable environment like Android or iOS. It's going to be a hardware root of trust that provides an attestable hardware environment, like SGX. I can predict no other practical avenue taken. Unless the orangutan really forces a demonstration on how untrustworthy these environments can be and a lot of money and effort is spent.
You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
That's what smartcards like Yubikey do, my government certificate is on it and it can't be exported. They could attest that but beyond that, the operating system of the host device is none of their business.
> You can attest that cryptographic key material is safely stored without attesting that their operating system and software running on it is all government-approved.
There's no proper way of doing so on Android.
Some countries, like Estonia, are providing their own SIMs to solve this problem. That indeed works. Unfortunately phones are being made that are eSIM-only and certifying eSIMs to the same EAL level is near-impossible.
Comparing being able to run the hardware and software of your choice to "wanting a passport in a different color or whatever" is so completely fucked, and it's beyond insane as a justification for giving two American tech companies with a well established track record for doing evil control over your citizens' ID.
The world has gone absolutely mad, what the fuck am I even witnessing? It is quite literally becoming 1984 in front of my eyes, with people
complying completely voluntarily and openly advocating for it, not even a threat of force to make it happen.
Demanding full control over something like an ID will fundamentally not happen. The same way you won't have full control over the way passports or paper bills are made.
Take for example the expectation that some poor fool's ID can't be cloned and reused by malicious actors - full control directly contradicts that. It will not and must not be possible.
We don't need 'full control' over an ID. We need the status quo, where we have mostly have control over our devices, and where paper IDs are still the foundation of society. Things are fine the way they are. There are problems, sure, but no problems that are made better by an all-encompassing surveillance state.
If I am lashing out, it is because this is perhaps the most dangerous thing I've ever seen proposed, and it is deeply distressing how people are sleepwalking into it. To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding. I have lived with privacy, anonymity, and freedom for all of my life. If the future of this world is one where the government and Google have complete control over every single thing you do, I'd rather die having lived a satisfying life than witness the horrors that are to come.
How do you use your paper ID to to prove identity or age or citizenship to someone hundreds of kilometers away whom you are conducting an online transaction with?
> It's not that important to be able to do that. You have been educated to trade your freedom for that kind of convenience, but it is not necessary.
It's important enough that people do so without any eID, using methods both more invasive and less reliable. Gas bills, document photos, having to take videos and pictures of yourself.
Humans have lived in caves and died of preventable diseases, it doesn't mean it's a better way of living.
>To be honest, if I were German, I would probably just kill myself the day I was legally mandated by my government to register my identity with Google. That might sound hyperbolic, but I'm really not kidding.
This is honestly not a good argument - it makes you sound desperate and puts in doubt your mental stability. I don't think you actually have mental problems, I just mean this this kind of argument comes off bad.
Also nobody is forcing anyone to do anything. You don't have to own a digital ID. It just makes things easier, because you can sign things over the internet, or present your phone instead of your plastic ID. Both things already have alternatives (qualified signatures and regular physical ID), so no immediate harm is being done.
Don't get me wrong, I am personally anti bigtech, I try to degoogle as much as possible, and I find the thought of my government coercing me to use google/apple duopoly repulsive. I dislike that, but using phones (instead of for example dedicated hardware) IS pragmatic, and you are not forced to do anything.
For now. In 5 years you will, there is not one doubt in my mind about that. We've been on a slippery slope for (at least) 40 years straight, every year is a loss of privacy rights compared to the last, there is not a single year that reversed the trend, not a single year where we paused and stayed where we were. Once digital ID is implemented everywhere, alternatives will be quickly phased out. It's straight downhill as governments and corporations take more and more advantage of technology to build a degree of surveillance that even dystopian science fiction writers couldn't imagine.
The government, the corporations, the data brokers each individual corp sells your data to to compile a unified profile, and anyone the data brokers are willing to sell to have an unbelievable amount of information on the average citizen. They know where you live, where you are at all times, where you work, every website you visit, every Google search you've ever made, everything you purchase, all of your acquaintances, when and for how long you call those acquaintances, the full contents of any conversations you have with those acquaintances, your interests, your hobbies, your political beliefs.
I have thus far managed, I believe, to avoid the worst of the surveillance, with a tremendous amount of effort and the sacrifice of an unbelievable amount of personal convenience. But every year I find myself losing access to more and more things that I am unable to do without compromising my privacy. If it gets as far as government-mandated Google ID in my country, I think it's completely rational to kill oneself rather than live like cattle. If there were a resistance movement, I would participate in that instead, but this is happening completely voluntarily. You people want this. There is no resistance. Fine, you can have your dystopia. But there is no reason I need to be part of it, and I don't think it's a sign of mental illness to opt out. I don't much believe in living for the sake of living, you should live if it brings you happiness/satisfaction/whatever and don't if it doesn't.
The clauses are [with a well established track record for doing evil] [control over your citizens' ID], if that's not clear. I wonder from where your quote cut off if my sentence was misunderstood.
As to the well-established track record of doing evil... gestures broadly everything? Google in particular has built an empire on stripping away people's privacy, and they regularly ruin people's livelihood by eg. shutting down Youtube accounts incorrectly with automated systems and no way of ever reaching a human for support unless you're famous enough to make it a PR issue. Apple is the same, just recently with a thread on HN lamenting that Apple was destroying their business because they revoked their dev license, or in other words, a private company unilaterally revoked the ability of a business to create mobile software for billions of devices. And now we want to give them control over our IDs? ????????????????????????
Well, in that case, if they want full control and attestation yadda yadda, I'm fine with them shipping me a device they fully control exclusively for use of this stuff. But if we're talking about my smartphone that I paid for with my money that I worked for, I will do whatever I damn please with it. So I guess that means eIDAS will be inaccessible to me.
Why not just have the Secure Enclave in the ID card and use NFC to communicate with it? Think about it, you literally have dozens of computers between you and the provider. Routers, middleboxes, load balancers, servers etc, all insecure or untrusted, but somehow my device needs to have their special rootkit and hardware DRM. A separate device that can be provisioned with ID is the least to ask. If the government doesn’t trust me with my device, fine, but then return the favor - I don’t trust them either. Both governments and corporations that are gonna use this have long track records of invasive, often illegal spying - whereas my track record is letting people mind their own business.
This is exactly what the ID cards I'm talking about are. You tap them to the phone or a desktop reader and it works. You just invented something that already exists.
eIDAS just takes this one step further and gives you an option to not have to carry your card with you. But if you refuse to have an attested phone, then you pay those 20EUR to get the ID card (which you probably need for other uses as well) and move on with your life.
> This is exactly what the ID cards I'm talking about are. You tap them to the phone or a desktop reader and it works. You just invented something that already exists.
Great, thanks for clarifying. Please be mindful not everyone are domain experts and we’re all (hopefully) trying to learn.
Now, do you know whether ID cards will work with the proposed German system for e2e online ID verification? My understanding from comments was that it doesn’t, and providers are free to require the app-based version.
In Sweden we have an app-based system now (BankID), and afaik there are no alternatives that work reliably. You have to buy an American phone every few years to participate in basic societal functions. However, the government is ”looking into” decoupling digital identity from (1) banks and (2) mandatory hardware manufacturers (iOS/Android).
The German version of the eDIAS app should be completely banned from being used for age verification, if they wish to continue the project. Otherwise it effectively bans you from a sizeable portion of the internet, unless you accept unacceptable privacy violations.
No. I reject this framing. It is none of anybody's business how "secure" my device ever is. A smartphone is a piece of electronics, and not a tamper evident identity device.
True, but its really hard to name a family of commercial devices with security features in hardware, including serious security features, which were not eventually hacked.
Worse still, for new mainstream devices that are believed to be safe the state sponsored actors will likely operate unpublished exploits, and will exploit the misplaced faith people and judiciary will put in device attestation. I dont think the very likeable people who worked on Pegasus found themselves respectable jobs - they are likely still selling that sophisticated crap to all authoritarian regimes.
Simply because the law was written that way. But also the whole idea of identity verification becomes pretty useless, if there is no chain of trust. You could run a modified client that lets you assume any identity you choose, exactly the opposite of what eIDAS is trying to achieve.
> You could run a modified client that lets you assume any identity you choose
Provided you know the secret key to a government-issued certificate. Making it impossible to copy said certificate is not really a requirement for identity verification.
Some countries fixed it already, see Estonian ir Polish IDs with digital layer (performing signing, authentication, etc), and the devices only acting as untrusted interfaces to these.
It will likely display something like a QR Code with signature anyways, otherwise it's just a glorified passport picture?
Authorities/anyone could verify that it's not counterfeit. And photo should be checked anyways to match the person.
So I also don't see the need for attestation. For ID check it should be ok without. For signing stuff ofc it is not resistant to copying. But EID smartcard function already exists.
It is a non-sensical ruling. But IIRC the reason was basically that while Apple and Google did basically the same shit, only Google kept a written record of their monopolistic behaviour, so only Google was found guilty.
However, there is a relevant court case here. The one about Samsung's "Auto Blocker" (https://arstechnica.com/gadgets/2025/07/samsung-and-epic-gam...). Epic Games sued because Samsung made it too hard to install apps from "untrusted" sources. This may be a reason why Google is now trying to make the process more difficult on the developer side instead.
the Samsung case is very interesting, haven't bumped into that one before.
... as far as I understand the really nasty part of "contemporary" jurisprudence of antitrust enforcement is that the standard is to show that things would be cheaper for the consumers
(though I don't know why developers are not considered consumers of the app marketplace services, after all for them bringing their own payments and whatnot would be much more cost effective... well, anyway, unfortunately the courts are mostly locked to this very inefficient path-dependent way of regulating anything through super expensive arguments, which is an obvious (?) dysfunction of legislation)
My guess is that Android 17 will show the registered name of the developer of the app you're trying to install. With stolen IDs you can only get accounts for individual developers not for organisations.
When a scammer pretending to be your bank tells you to install an app for verification and it says "This app was created by John Smith" even grandma will get suspicious and ask why it doesn't show the bank's name.
When someone is getting scammed by "special agent John Smith of the Federal Banking Enforcement Commission", the name "John Smith" won't cause any suspicion.
This trick only works if the general public is aware of what the app developer label does, what it is used for, what it protects against, and what it's supposed to say. However, if that's the case, you already have all the info you need to deduce that you shouldn't be installing APKs sent by a guy over the phone anyway.
Like you said, for years now they have added more and more restrictions to address various scams. So far none of them had any effect, other than annoying users of legitimate apps, because all the new restrictions were on the user side. This new approach restricts developers, but is actually a complete non-issue for most, since the vast majority of apps is distributed via Google Play already.
In the section "Existing Measures Are Sufficient." your letter also mentions
> Developer signing certificates that establish software provenance
without any explanation of how that would be the case. With the current system, yes, every app has to be signed. But that's it. There's no certificate chain required, no CA-checks are performed and self-signed certificates are accepted without issue. How is that supposed to establish any form of provenance?
If you really think there is a better solution to this, I would suggest you propose some viable alternative. So far all I've heard for the opponents of this change is, either "everything is fine" or "this is not the way", while conveniently ignoring the fact that there is an actual problem that needs a solution.
That said, I do generally agree, with you that mandatory verification for *all* apps would be overkill. But that is not what Google has announced in their latest blog posts. Yes, the flow to disable verification and the exemptions for hobbyists and students are just vague promises for now. But the public timeline (https://developer.android.com/developer-verification#timelin...) states developer verification will be generally available in March 2026. Why publish this letter now and not wait a few weeks so we can see what Google actually is planning before getting everybody outraged about it?
Because without this early resistance, there wouldn't even be vague promises of hobbyist/student exemptions. I think it's important to make community objection to the entire idea known loud and clear, especially when changes like these are absolutely ratcheting.
Starting from their first announcement of this, Google has explicitly asked for comments and feedback from affected developers. They have a Google Form for exactly that linked on all the announcement pages.
The exceptions for students/hobbyist were always promised, but the "advanced flow" came later based on this feedback. AFAICT Google has, so far, only made things better after the initial announcement. I don't see why we shouldn't give them the benefit of doubt, at least until we have some specifics.
Pushing this open letter out just days/weeks before Google promised the next major update just seems off.
But the thing that might actually be killing their reputation is that their mails seemingly come from different emails all looking like bounces+18741050-ecba-jopudmulwqqsumjwub=nespj.com@email.fontawesome.com. But even worse than that, the "confirm your email" email and the following "finish account setup" email came from two different sub-domains. Maybe this is just a new attempt to get around Google's spam filter, but it seems like the worst thing you could possibly do when sending emails.
reply