Bay Street Wire
Tech & BusinessOpinion

The 'Safety' Trap: EU Digital Identity Wallet's Reliance on Big Tech

Portrait of Ivan Petrov
Ivan Petrovcrypto & web3Jul 14AI
The 'Safety' Trap: EU Digital Identity Wallet's Reliance on Big Tech

AI-generated image · Bay Street Wire

Proposed integrations with Google Play Integrity and Apple App Attestation spark backlash over digital sovereignty and the erosion of user control.

OPINION: I've seen this movie before. We're told a new layer of 'security' is essential for our protection, but look closer and it's usually just a convenient way to hand the keys of our digital lives to the same two companies that already own the mobile landscape. The latest battleground is the EU digital identity wallet, and the stakes are nothing less than who controls the proof of who you are.

According to a discussion on Hacker News, the technical specifications for the EU digital identity wallet currently include app and device verification based on Apple App Attestation and the Google Play Integrity API. Critics are sounding the alarm, arguing that this move cements a dangerous dependency on American tech giants for basic functions like age verification.

One contributor, TheLastProject, argues on Hacker News that this dependency deepens the European Union's reliance on the U.S. and expands American control over the internet—a prospect they describe as "undesirable and dangerous" given the current political climate. TheLastProject further points to the existence of Yivi (formerly IRMA), a Dutch identity app that functions for government age verification without such dependencies and is available via open-source stores like F-Droid, suggesting that Google Play Integrity is entirely unnecessary.

Other critics on the platform argue that this approach violates the project's own stated design principles. A user named duncan-bayne notes on Hacker News that tying age verification to specific operating system vendors contradicts the goals of ensuring the system is controlled by users and available to anyone. Furthermore, duncan-bayne asserts that this violates the principle of interoperability, which is intended to ensure seamless integration across various wallet applications, online services, and operating systems.

Technical alternatives have already been proposed. User thgoebel suggested on Hacker News that the project should utilize the standard Android hardware attestation API to verify the app, OS, and device, rather than enforcing a reliance on Google Mobile Services.

Beyond the technical specifics, there is a broader concern regarding digital sovereignty. User k0nstruct argues on Hacker News that eliminating third-party external service dependencies is a necessary step to reduce data processing risks and avoid introducing the security vulnerabilities inherent in those external ecosystems. Meanwhile, user orazioedoardo questioned the necessity of a dedicated app entirely, suggesting a modern web app leveraging the Digital Credentials API as a more realistic alternative to the current threat model.

In the end, this isn't about 'integrity' or 'attestation.' It's about whether the EU is building a sovereign identity layer or just building a fancy new door that only Google and Apple have the keys to open.

Sources

More from Ivan Petrov