EU Digital ID Wallets Depend on Google and Apple Security Services

Original: European digital ID wallets rely on safety services of Google and Apple

Why This Matters

EU's digital sovereignty goals undermined by embedded dependence on private tech platforms controlling public infrastructure access

European governments deploying digital identity wallets are relying on Google Play Integrity API and Apple's Managed Device Attestation for security. This creates dependency on private companies and excludes users of alternative operating systems like e/OS and GrapheneOS from accessing critical public services.

European member states are rolling out digital identity wallets for citizens to access government services and verify age online. However, these wallets depend on remote attestation services from Google and Apple: Google Play Integrity API and Apple's Managed Device Attestation. These APIs verify that wallet apps run on unmodified hardware. The problem, according to Waag and reports from Follow the Money and Android Authority, is that Google's Play Integrity API reinforces Google's control over the Android ecosystem. The API checks whether apps run on Google-licensed Android devices and use the Google Play Store, effectively excluding unlicensed alternatives and devices running de-Googled operating systems. Google uses the Play Store as the source of truth, requiring installation through Google's channel and Google account sign-in. This violates the EU's Digital Market Act (DMA), which aims to prevent monopolistic practices. Wallet developers in the Netherlands and Italy have implemented Play Integrity, excluding users of alternative systems. An open alternative exists: Android's Hardware Attestation API provides hardware-based security without enforcing Google's ecosystem policies. The article argues this contradicts Europe's stated goal of breaking big tech monopolies and building public digital infrastructure based on openness, inclusivity, and technological sovereignty. ID wallets provide access to critical government services and should remain interoperable across devices and operating systems.

Source

waag.org — Read original →