HN
Today

Hardware Attestation as Monopoly Enabler

GrapheneOS alleges that Google and Apple are leveraging hardware attestation, through tools like Play Integrity and App Attest, not for security but to establish a mobile duopoly and extend control over user devices. They warn that even governments and essential services are adopting these systems, inadvertently stifling competition and user freedom. This is particularly relevant as it expands to web-based interactions like reCAPTCHA, potentially forcing users into certified hardware ecosystems.

644
Score
234
Comments
#1
Highest Rank
18h
on Front Page
First Seen
May 10, 6:00 PM
Last Seen
May 11, 11:00 AM
Rank Over Time
111111111111111112

The Lowdown

GrapheneOS, a privacy-focused mobile operating system, has raised an alarm regarding the expanding use of hardware-based attestation by tech giants Apple and Google. They argue that these systems, including Google's Play Integrity API and Apple's App Attest API, are being increasingly adopted by services like banking and government apps, and are even extending to web verification mechanisms such as reCAPTCHA Mobile Verification. GrapheneOS contends that this trend serves primarily to lock users into Apple or Google-approved hardware and operating systems, fundamentally undermining competition and user autonomy under the guise of enhanced security.

  • Monopoly Enforcement, Not Security: GrapheneOS explicitly states that hardware attestation, as implemented by Google, is not genuinely about security. They highlight that their own OS, designed for superior security, is banned by Play Integrity, while older, unpatched Android devices are permitted. This inconsistency, they argue, reveals the true motive: enforcing Google Mobile Services (GMS) licensing and anti-competitive rules. Apple's similar App Attest functions likewise to maintain its walled garden.
  • Expansion to the Web and Desktops: Initially prevalent in mobile apps, hardware attestation is now migrating to the web. Apple's Privacy Pass and Google's reCAPTCHA Mobile Verification are examples, potentially requiring users to possess a certified smartphone (iOS or Google-approved Android) to access parts of the internet, including on desktop Linux, Windows, or FreeBSD.
  • Government and EU Complicity: Despite rhetoric about digital sovereignty, GrapheneOS points out that governments, particularly within the EU, are mandating or encouraging the use of these attestation systems for critical services like digital payments, ID, and age verification. This participation, they argue, directly aids Apple and Google in solidifying their duopoly rather than fostering a competitive or open digital ecosystem.
  • Anti-Competitive Practices: Google's control over Android certification, which includes bundling Chrome and other services, is cited as a prime example of leveraging attestation to enforce anti-competitive behavior, a practice found illegal in some jurisdictions.

In essence, GrapheneOS warns that the unchecked proliferation of hardware attestation threatens the concept of a general-purpose computing device, turning hardware and software choices into tightly controlled gatekeeping mechanisms rather than promoting actual security or user freedom.

The Gossip

Attestation's Double-Edged Sword

Many commenters dive into the philosophical and technical implications of hardware attestation. A prominent view is that these systems are less about security and more about corporate control and surveillance, with some arguing that remote attestation is 'inherently evil.' The discussion includes the lack of privacy-preserving technologies like zero-knowledge proofs (ZKP) in current implementations, suggesting that the current approach leaves users vulnerable to tracking and data correlation. Others dissect Google's attestation claims, arguing that its security value is dubious given its allowance of insecure devices while blocking secure alternatives like GrapheneOS.

Governmental Hand-Wringing

A significant portion of the discussion focuses on governments, especially within the EU, mandating or adopting hardware attestation for digital identity, payments, and age verification. Commenters express frustration that this decision ties national digital infrastructures to the US tech duopoly (Google and Apple), compromising digital sovereignty. The sentiment is that governments are either ignorant, incompetent, or complicit, prioritizing perceived 'security' or lobbying interests over citizen privacy and open standards. Personal anecdotes highlight receiving 'patronizing' responses when raising concerns with officials.

The Fading Free Computer Ideal

This theme explores the broader historical context of user control over computing devices. Commenters draw parallels to past battles, such as Intel's attempt to embed CPU serial numbers or Microsoft's push for secure boot in PCs, framing the current situation as an ongoing 'war on general-purpose computing.' There's a strong concern that hardware attestation, alongside digital identity and walled gardens, represents a systematic erosion of the ability to run arbitrary software on one's own hardware. Some call for legislative action to ensure hardware modify-ability or to prevent bootloaders from enforcing vendor control.

Real-World Hurdles & Resistance

Users share direct experiences of encountering hardware attestation barriers, such as being unable to access banking services or complete reCAPTCHAs on non-certified devices or custom ROMs like GrapheneOS. These anecdotes underscore the practical challenges of resisting the duopoly's control. Proposed solutions range from adopting a 'two-device scenario' (a separate, compliant device for essential services) to calls for collective action, public education, and political engagement to push back against anti-competitive practices. There's a shared determination to find workarounds or support alternative ecosystems.