Next, as countries are requiring more and more age verification online, the EU accidentally outlaws GrapheneOS by introducing an age verification system that requires an OS certified by Google or Apple. https://chaos.social/@luc/114860815364169550
You're free to run GrapheneOS or Windows or whatever, so long as you also have a device that is attested to be untampered by Google Play or Apple's equivalent
Graphene replied in that thread (just ctrl+f for them), saying "Unfortunately, the EU is adopting the Play Integrity API enforcing having a Google Mobile Services device instead. We've repeatedly raised this issue with the EU Commission and many apps including ones tied to this specific project. We've never been given reasoning why they can't use the hardware attestation API instead."
I'm personally not so keen on that lesser DRM requirement either, since it's just another level of gatekeeping: ok now it's not only Google/Apple but also a few OSes that meet ?some? requirements, but e.g. GrapheneOS also doesn't unilaterally let me access data on my device, maintaining that full access is dangerous and cannot be allowed -- yeah, I'll agree data is safer when I can't even access it myself, seeing how much malware goes around for NT/Linux distributions where you can have root, but I'd still much rather live in a world where I'm the root on my systems. But anyway, that's maybe another discussion, the broader point is that even GrapheneOS can't talk sense into the EU with their lesser-but-still-DRM option
Tying legislation/compliance requirements to specific vendor (Apple/Google) that happen to be dominant today feels wild to me (as opposed to open standards).
Surely that directly entrenches their moat, and raises the difficulty of any new market entrants competing (leaving us with the effective duopoly we have today)
I fear this is increasingly becoming the case for most digital businesses through blanket requirements that don't taper into effect with the maturity/scale of the business - it's a legislative pulling up of the ladder behind them by creating high barriers to entry.
> You can fairly easily build and flash a rooted version of GOS yourself.
This won't be signed with the right attestation key because I'm not them.
My understanding is that attestation is tied to the distribution's private key, so this government software wouldn't trust my version of the OS, assuming the govt could be made to understand Android's attestation framework is a vendor-neutral way to achieve the same goal (whatever goal that may be). With a rooted GOS, I'd still need another device, tied to my government identity, of which I can't verify what it's doing, much less control it
You're free to run GrapheneOS or Windows or whatever, so long as you also have a device that is attested to be untampered by Google Play or Apple's equivalent
Graphene replied in that thread (just ctrl+f for them), saying "Unfortunately, the EU is adopting the Play Integrity API enforcing having a Google Mobile Services device instead. We've repeatedly raised this issue with the EU Commission and many apps including ones tied to this specific project. We've never been given reasoning why they can't use the hardware attestation API instead."
I'm personally not so keen on that lesser DRM requirement either, since it's just another level of gatekeeping: ok now it's not only Google/Apple but also a few OSes that meet ?some? requirements, but e.g. GrapheneOS also doesn't unilaterally let me access data on my device, maintaining that full access is dangerous and cannot be allowed -- yeah, I'll agree data is safer when I can't even access it myself, seeing how much malware goes around for NT/Linux distributions where you can have root, but I'd still much rather live in a world where I'm the root on my systems. But anyway, that's maybe another discussion, the broader point is that even GrapheneOS can't talk sense into the EU with their lesser-but-still-DRM option