This idea that protecting users is worth the cost of giving up your ownership rights is fallacious.
Protecting 1 million grannies is an entirely different risk class than the security implications of stopping everyone from using their devices as they see fit.
Protecting 1 million grannies means everyone loses ability to install apps that:
-allow encrypted chat
-allow use of privacy respecting software
-download art/games/entertainment that is deemed inappropriate to unelected parties
-use software to organize protests and track agents of hostile governments
-download software that opposes monopolistic holds of controlling parties
Using Linux is also not a real choice. To access my bank and health services in my country, I require a mobile device that is remote attested by either Apple or Google which are American countries. Hell, it's becoming closer to reality that playing online video games requires remote attestation either to "prevent" cheating or for age verification.
Thus the risk widens to the sovereign control a nation has over its own services. A US president could attempt to force Google and Apple to shutoff citizen access of banks and health services of an entire nation. Merely the threat could give them leverage in any sort of negotiations they might be in. For some nations in the future, the controlling nation may be China I imagine.
I think the real regulatory solution here is to break up monopoly practices. While the EU's DMA is all well and good in some ways, the EU is also pushing Chat Control... In a more fragmented market it becomes impossible for a bank or health service to mandate specific devices for access (they lose potential customers) so you could theoretically move to a device that doesn't do draconian style remote attestation that breaks if you go off the ranch. We need more surgically precise regulatory tools than sweeping legislation that would keep using alternatives like Linux or FreeBSD or whatever actually viable. It also makes it much harder for that same legislative body to enforce insane ideas like Chat Control.
The answer is not protect users from themselves. The answer is more freedom, with a legal framework that helps all users have more choices while helping victims acquire restitution.
> A US president could attempt to force Google and Apple to shutoff citizen access of banks and health services of an entire nation. Merely the threat could give them leverage in any sort of negotiations they might be in
This. We can’t anymore say to ourselves “but surely a US president would never do that”?
Reference: recent tirades at Canada, Spain, Colombia, Ukraine, ...
Without limitations on authority and control, I worry more that the world will devolve into a multilateral legal hellscape, even moreso than exists today. Given how much is dependent on software, you are going to have the governments of pretty much any country with multinational exposure trying this in the next 10 years if recent UK and EU developments are any indicator.
> To access [...] health services in my country, I require a mobile device that is remote attested by either Apple or Google
I knew of banks, but how is it that health services need remote attested mobile devices? Do clinics not support setting appointments through calls anymore, or what?
In my country, the same verification service is used to access banks, health services (private and public), taxes, and even verify online retail purchases. This verification app on Android requires Play Integrity on first time activation so fresh installs of something like GrapheneOS will not let you use the app. It's still currently possible to use a hardware token alternative to the app. It is only getting less convenient and possible to opt out of the digital verification systems even if there's technically still workarounds. In the past, even when such verification systems existed, they were less user constricting (no requirements on remote attestation for example).
I believe if we look at the past compared to now, and then extrapolate towards the future, without proper action, we will keep slipping down the slope.
I see all of these "in my country, we need a phone to do X" posts, and while I believe them, I feel like they always leave out key information. I'd also like to know: What actually happens when the customer does not have a phone? Do you just never get healthcare? Do you just never bank? Surely there are (perhaps inconvenient) alternatives that people without phones can use. The national government doesn't just let its citizens slide into some healthcare-less, unbanked purgatory simply for not having a phone. What is the real, full picture?
As someone in the USA, I could toss my phone in the dumpster forever and still live my life pretty much as I live it today. I might have to make a few minor sacrifices, but I'm grateful we still have that choice here.
Recently, I was referred by my family physician to a healthcare provider. That provider required a mobile phone number for registration. I emailed them to complain about this and their reply was that if I did not have a mobile I should contact the referring medical practice to find an alternative means of treatment. I did, and their response was that I should take it up with the provider.
But this is, of course, just one anecdote. I would also be interested in seeing more information.
> The national government doesn't just let its citizens slide into some healthcare-less, unbanked purgatory simply for not having a phone.
Unfortunately, I think that depends on whether the portion of citizens without a phone is significant. People need to care for businesses/government to care.
See also countries where they struggle to use cash. What happens when a customer does not have a bank account?
So what actually happens in Sweden: there are two officially sanctioned authentication apps: BankID (originally developed by banks) and Freja. Both only run on a mobile phone.
For government services, both will work. But you must use some of them, otherwise no government for you. You can still do some things by paper, but those are getting rarer and rarer nowadays. The general assumption is that everything is done online. Some government services can't be done by paper or physical visit, not without involving this authentication at some point.
For most of everything else, only BankID (the oldest of the two and the most deployed by far). Especially for banking, only this works. Even if you call the bank and try to sort out via phone, they will refuse service until you can prove that you are you by authenticating via BankID.
But Sweden is mostly cashless nowadays (even some bank branches are refusing to deal with cash). For example, you can't take a bus or train and pay with cash. You have to use a vending machine that only exists on train stations, or depending on which kind of transport and the region you live you might be able to do a contactless payment, or you must use the app (the default choice that 99% use). If you use the app, to pay you need to use a "card not present" flow, or Swish (Sweden's mobile payment system), and to complete either you must use BankID. You can't use your card or do any payment without BankID (if the card is not present).
Even if you do use your card, if it gets denied for any reason, for you to sort out the issue you'll need the mobile phone and BankID.
If you go out with friends to a restaurant, most restaurants don't accept cash. If the restaurant doesn't accept charging each one individually then someone needs to pay for the group, and they will expect you to pay them via Swish which requires BankID. People won't take cash either.
As you can see, it's not actually trivial here to live as part of society without a working mobile phone. If you're outside, you better have 100% faith on your card, and/or be prepared that you might need to walk back home as you can't do much now, might not even be able to buy transportation.
Some smaller shops/kiosks only take Swish: no cash, no card. That requires a phone plus BankID.
If (or better said: when) BankID starts requiring the device to pass Play Integrity, then not only you must be carrying the device at all times, but it must be a blessed device from Google or Apple.
In Denmark the situation is very similar, and in their case their app (which is called MitID) already mandates that the device has to pass Play Integrity.
it's usually to see the results of your lab work, message doctors about refills, etc. You'd probably be able to get some of that mailed instead at the cost of time certainly.
Protecting 1 million grannies is an entirely different risk class than the security implications of stopping everyone from using their devices as they see fit.
Protecting 1 million grannies means everyone loses ability to install apps that:
Using Linux is also not a real choice. To access my bank and health services in my country, I require a mobile device that is remote attested by either Apple or Google which are American countries. Hell, it's becoming closer to reality that playing online video games requires remote attestation either to "prevent" cheating or for age verification.Thus the risk widens to the sovereign control a nation has over its own services. A US president could attempt to force Google and Apple to shutoff citizen access of banks and health services of an entire nation. Merely the threat could give them leverage in any sort of negotiations they might be in. For some nations in the future, the controlling nation may be China I imagine.
I think the real regulatory solution here is to break up monopoly practices. While the EU's DMA is all well and good in some ways, the EU is also pushing Chat Control... In a more fragmented market it becomes impossible for a bank or health service to mandate specific devices for access (they lose potential customers) so you could theoretically move to a device that doesn't do draconian style remote attestation that breaks if you go off the ranch. We need more surgically precise regulatory tools than sweeping legislation that would keep using alternatives like Linux or FreeBSD or whatever actually viable. It also makes it much harder for that same legislative body to enforce insane ideas like Chat Control.
The answer is not protect users from themselves. The answer is more freedom, with a legal framework that helps all users have more choices while helping victims acquire restitution.