And meanwhile the exact same agency spits out government Android apps that use Play Integrity so citizens cannot ditch Google for GrapheneOS. This is symbolism, the minister does not actually care about digital sovereignty for the citizens.
I don't think so. It's more complicated than that. The state is not a monolith. Different heads are doing different things and it's a enormous bureaucracy. The divisions pumping out Android will eventually catch up to what's going on and the vulnerability they're exposing themselves to. These things take time. It doesn't all happen at once. People (who are not very technical, barely knowing what a computer is) need to understand what's going on and that can take a while. Let's just hope they figure it out before it matters.
It is probably unintentional. I work and worked in such projects (in The Netherlands), and the process is -rightfully- chaotic.
Governments typically don't have a central single team that builds all their android apps. They usually write a tender with loads of requirements and app-agencies will then build it. Or freelancers. Or volunteer teams. Or all of that. So there's no central team governed by one minister who can dictate what should happen today. There's hundreds of companies, teams, freelancers, interims, running around trying to make deadlines
Between writing a spec and the delivered app, there's chasms: could be a year between the specs are written and the first app pushed onto a phone. In a (trump)year a lot can change. But also between how specs are requirements or wishes in real life. "No user data may ever reach a google server" (actual specs are far vaguer and broader) may sound good, but will conflict directly with "user must receive push notifications of Foo and Bar". Or "passport NFC data must be attested for login", requiring a non-rooted, android, signed-by-google hardware attestation thingymajick.
So no, this is not malice. Nor incompetence. This is a sad reality, where we've allowed the monopoly to dictate what we, and users, expect, and to have that monopoly be the only option to provide those expectations.
As someone in the Netherlands, and also with a company in this space, could you point me to some relevant resources (like ongoing projects)? I'd love to help our country get more sovereign (in small steps).
Btw, NRC has a nice podcast series on the topic. One thing hampering the sovereignty effort is the enormous amounts of Azure/AWS/GCP certified people. Their career is build on these platforms.
Since a few people ask "What can I do to help my govt/region/country to become more sovereign", here's my tips on this:
- All governments under EU (on almost all levels) are "required" to use and/or produce software as Open Source. The source of "that government app" should be available somewhere (though quite likely is not)¹ So go hunt for the source and start there.
- Look at underlying standards. EU regulation, trickling down into local laws and guidelines, rely on Open Standards almost always. That app you use to log into your tax environment quite probably uses (a weird, hard to recognize) variation of OAUTH2 or OpenID connect, SAML or such. The app that shows the time+dates for garbage-collection, quite probably uses a simple ical-feed under the hood. With that knowledge, you may be able to develop/fork/use open source alternatives without too much effort².
- Show (local) representatives the alternatives. Listen to them. Learn from them. Most representatives are suprisingly open to you as expert. But, I cannot stress enough, learn and listen foremost. IT experts and open source community in particular have an (IMHO well deserved) reputation for being arrogant, know-it-all unfriendly and rediculously single-minded. So don't lecture that councillor for using Twitter instead of Mastodon, riduculing them for not using GPG or scoffing at their insistence on using Microsoft Word over Vim with Markdown (My younger self was such an arrogant neckbeard; I am now convinced I have done actual harm to the Open Source community that way). But ask why twitter, have they tried mastodon, or bluesky? Why not? Why did they leave? What features in MSword do they require? Did they know that Jitsi is an option? Maybe you can show how they could use Nextcloud for at least their own files? Sometimes you can answer some of their questions and help them. More often, you learn a few things that you could use to improve sovereign and open source alternatives and align them slightly more with whats needed.
¹ The details, interpretations and implementations are a mess, but the idea is "open source, unless..." for any software that any government buys, rents, builds, etc. In practice almost all projects fall under "unless...". I spoke to a MSFT account-manager for several local govts and he told me they have f*in training material to "help" govt officials write tenders/requirements in such a way that Open Source is practically excluded and Microsoft the only option. I am appalled, but also not that surprised.
² The ical-finding is how I got my local garbage-collection schedule into my calendar app. And when I told this to someone who happened to work at the municipality, they realized that publishing the urls and docs online helped a lot of citizens. Ironically, the push-back, according to this person, was from a civil-servant whose career was influenced on the success (install counts) of the "municipality app" and who was afraid that if people could add the calendar to their outlook/google cal/ical/other-cal, might no longer install the app. Again, I was appalled at such perverse incentives.
I think it has more to do with ignorance. Device attestation is not trivial to adopt while both Apple and Google promise you a very simple abstraction. So it takes being informed and having leverage in the process to be able to make a difference.
For me the blame is squarely on the technical “experts” who are behind the architecture and implementation of such apps.
Device attestation is precisely the thing I do not want my government to ever adopt. I have a Danish CPR number. They've given me a FIDO secure token generator as my phone is degoogled for MitID. Most Danes don't know what those words mean, and if they did, wouldn't understand why I distrust (all) governments (and indeed things! Three default scientific position is scepticism, albeit with varying degrees of priors)
The thing is, device attestation is fundamentally incompatible with digital freedom so governments should never adopt it to begin with. We lived without digital solutions that depended on device attestation and we will continue to do so.
guerrilla|4 days ago
I don't think so. It's more complicated than that. The state is not a monolith. Different heads are doing different things and it's a enormous bureaucracy. The divisions pumping out Android will eventually catch up to what's going on and the vulnerability they're exposing themselves to. These things take time. It doesn't all happen at once. People (who are not very technical, barely knowing what a computer is) need to understand what's going on and that can take a while. Let's just hope they figure it out before it matters.
Aeglaecia|4 days ago
berkes|4 days ago
It is probably unintentional. I work and worked in such projects (in The Netherlands), and the process is -rightfully- chaotic.
Governments typically don't have a central single team that builds all their android apps. They usually write a tender with loads of requirements and app-agencies will then build it. Or freelancers. Or volunteer teams. Or all of that. So there's no central team governed by one minister who can dictate what should happen today. There's hundreds of companies, teams, freelancers, interims, running around trying to make deadlines
Between writing a spec and the delivered app, there's chasms: could be a year between the specs are written and the first app pushed onto a phone. In a (trump)year a lot can change. But also between how specs are requirements or wishes in real life. "No user data may ever reach a google server" (actual specs are far vaguer and broader) may sound good, but will conflict directly with "user must receive push notifications of Foo and Bar". Or "passport NFC data must be attested for login", requiring a non-rooted, android, signed-by-google hardware attestation thingymajick.
So no, this is not malice. Nor incompetence. This is a sad reality, where we've allowed the monopoly to dictate what we, and users, expect, and to have that monopoly be the only option to provide those expectations.
teekert|4 days ago
Btw, NRC has a nice podcast series on the topic. One thing hampering the sovereignty effort is the enormous amounts of Azure/AWS/GCP certified people. Their career is build on these platforms.
berkes|2 days ago
- All governments under EU (on almost all levels) are "required" to use and/or produce software as Open Source. The source of "that government app" should be available somewhere (though quite likely is not)¹ So go hunt for the source and start there.
- Look at underlying standards. EU regulation, trickling down into local laws and guidelines, rely on Open Standards almost always. That app you use to log into your tax environment quite probably uses (a weird, hard to recognize) variation of OAUTH2 or OpenID connect, SAML or such. The app that shows the time+dates for garbage-collection, quite probably uses a simple ical-feed under the hood. With that knowledge, you may be able to develop/fork/use open source alternatives without too much effort².
- Show (local) representatives the alternatives. Listen to them. Learn from them. Most representatives are suprisingly open to you as expert. But, I cannot stress enough, learn and listen foremost. IT experts and open source community in particular have an (IMHO well deserved) reputation for being arrogant, know-it-all unfriendly and rediculously single-minded. So don't lecture that councillor for using Twitter instead of Mastodon, riduculing them for not using GPG or scoffing at their insistence on using Microsoft Word over Vim with Markdown (My younger self was such an arrogant neckbeard; I am now convinced I have done actual harm to the Open Source community that way). But ask why twitter, have they tried mastodon, or bluesky? Why not? Why did they leave? What features in MSword do they require? Did they know that Jitsi is an option? Maybe you can show how they could use Nextcloud for at least their own files? Sometimes you can answer some of their questions and help them. More often, you learn a few things that you could use to improve sovereign and open source alternatives and align them slightly more with whats needed.
¹ The details, interpretations and implementations are a mess, but the idea is "open source, unless..." for any software that any government buys, rents, builds, etc. In practice almost all projects fall under "unless...". I spoke to a MSFT account-manager for several local govts and he told me they have f*in training material to "help" govt officials write tenders/requirements in such a way that Open Source is practically excluded and Microsoft the only option. I am appalled, but also not that surprised.
² The ical-finding is how I got my local garbage-collection schedule into my calendar app. And when I told this to someone who happened to work at the municipality, they realized that publishing the urls and docs online helped a lot of citizens. Ironically, the push-back, according to this person, was from a civil-servant whose career was influenced on the success (install counts) of the "municipality app" and who was afraid that if people could add the calendar to their outlook/google cal/ical/other-cal, might no longer install the app. Again, I was appalled at such perverse incentives.
isodev|4 days ago
For me the blame is squarely on the technical “experts” who are behind the architecture and implementation of such apps.
azalemeth|4 days ago
ulrikrasmussen|4 days ago
simonh|4 days ago