I totally see what you're saying, but to me this feels different. Compilation is a fairly mechanical and well understood process. The large language models aren't just compiling English to assembler via your chosen language, they try and guess what you want, they add extra bits you didn't ask for, they're doing some of your solution thinking for you. That feels like more than just abstraction to me.
If this is true then a PMs jira tickets are an abstraction over an engineers code. It's not necessarily wrong by some interpretations but is not how the majority of engineers would define the word.
Requiring people to use products from one of two private American companies with a bad track record of locking people out of their accounts is more than “not great”. Some things are better not done if they can’t be done well.
So what can be used as an attestation API? WHAT will make sure that when a phone says "you're paying 10 euro to $coffee_place" that it isn't a bitmap being shown over "you're paying 10.000 euro to $scammer", above the pay button. Note: needs to be a real guarantee that isn't a permission question away from going away.
Either governments can develop (and pay for) THAT technology, or they can use Apple/Google ...
I'm not sure I want my government to develop that technology.
Government software is usually low-quality, expensive procurement crap, often riddled with security holes, and an exercise in checkbox checking. UX and user friction can't be expressed as a verifiable clause in a procurement contract, so they're ignored.
Besides, every time EU governments tried to force smartphone manufacturers to pre-install government apps, the population freaked out over (unwarranted) surveillance concerns. This isn't something you can do without pre-installing apps (you don't want these APIs opened up because then attestation loses all meaning).
Oh I see your confusion. It is not trying to prove it's not cheating with the UI (or remote control, or ...) to the owner of the phone. It's proving to the owner of the website (or app, or SIM, or ...) that it's really the user agreeing to the contract on the screen. Or, more to the point, it's proving it to courts after the fact so they'll convict the owner of the phone rather than the business or government.
The scenario it would prevent is that a government gets a filled in form with someone requesting unemployment benefits, or reimbursement for a medical procedure on account X ... and then government finds out after payment, later, in court, that the owner of the phone never agreed to it and it needs to pay it out again (because the claim, true or not, that a scammer initiated the payment agreement in some way rather than the owner). Same for business and agreeing to a loan and ...
It is NOT to protect you, the owner of the phone, against scammers (it does not really do that at all), it is to protect companies and especially governments AGAINST the owner of the phone. It is a way to fire most EU government employees by allowing automation that currently can't work because you can't legally trust phone and internet automation to be binding in court.
The argument here is kind of hard to follow. Who is the "owner" of the phone, "the user" is also mentioned and it is not clear if these two are the same. Is the owner of the phone in the controlling-software sense, Google, or is it the end user? Both fits, and both are commonly used.
Because if it is the end user, the strong version of the argument would be as follows: The end user signs a document, baked in is an attestation that Google guarantees that this device is an approved Android device with a clean boot chain and a Chrome web browser. Then the end user contests the signature in court, either because they didn't understand what they signed, or they did not sign it at all, or did it under threat. How could the attestation help here?
I do not have experience with all EU countries, of course, but more than one, and nowhere is this an issue today. Countries use a wide variety of electronic identification, from soft certificates and mobile phones to smart cards. But as far as I know, all countries accept signatures made even with normal Windows PCs. You can contest a signed document in court for a multitude of reasons, but that's not specific to electronic signatures.
By proving that when the user clicked "Yes, I want this loan, $X deposited on amount Y" that is actually what was on the screen then the user clicked approve. In other words, that the agreement is actually what the REMOTE party believes it is, even if the owner installed "Free coins in the bunny casino v7.0.apk" from a website.
(meaning that is not currently very provable, and exploited by scammers quite a bit. Courts have a nasty irritating habit of holding the more powerful party (ie. the bank/government) responsible for the consequences of scammers' actions. Well, at least from the viewpoint of banks/governments that is a nasty habit)
Do you imply that google can prove such a thing or it's just a security theater for (((compliance)))? AFAIK attestation attests hardware, not software, but hardware attestation is self contained and doesn't require any remote cartel permission, cf yubikey attestation.
The EU is trying to make a standard that courts will enforce because EU politicians (the commission, not parliament) really want that. But all EU countries are trying to save cash without touching what's causing the money problem (that would be pensions, there is no way in hell EU governments can spend what's required to keep pensions going as is even in 2026. In the past they spent all the pension money instead of investing and now they have to start paying it back, except they can't. And if they touch pensions ... well there's a French joke. It goes something like this "One of the greatest accomplishments of the 20th century is that you can see Paris from space. Look there it is, that flame right there ...")
So they're just going to use the Apple/Google standards and declare the job done. So it's theater from all sides. Politicians will pretend this is a good solution because they don't want to spend real money, and they really want to tempt EU kids to get loans on their smartphones because, you know, in the EU you're protected from companies exploiting you. Of course, that just means governments will have to do it instead.
Yes but in the real world all smartphones are either Apple or Android. Europe has zero footprint in either software or hardware. It is not creating a requirement to use specific products, it is using the products people already have.
So one may argue that the implementers are only taking the pragmatic approach regarding something that is out of their hands.
It literały has created the dependency on google when thought Android offers the standard/generic AOSP attestation.
Also you weirdly forget all the Chinese phones. There's also some tiny European brand which will have absolutely no way to limit their users dependency on the famously hostile and unconctactable provider.
We're talking about an essential government service, not just another weather app. You have to look at this through the lense of national security, the debate about EU digital sovereignty, and the requirements of the GDPR in light of the US CLOUD Act, as well as prior decisions of EU courts about these issues.
Yes all that you wrote is true. But that does not magically change anything to what I previously stated: in the real world all smartphones are either Apple or Android...
I don't know what the eIDAS 2.0 requires in term of security but it may make the choice the implementers made here unavoidable in practice, as hinted by @webhamster.
If so, it seems that a solution, if technically possible, might be to mandate that OSes provide the required security features without tie-in.
The outrage in the comments feels a bit like people yelling at clouds...
Right, because "you can't use an unpopular OS if you want your full rights as a citizen, and access to those rights must be additionally subject to a foreign corporation's opinion of you" is totally acceptable. I would go so far as to say that a government requiring any particular technology or private service to be a functioning member of society is hostile to all citizens. If your OS vendor / phone carrier / ISP all close your accounts despite no illegal activity, and your government has no alternatives you can use for essential services, then your government has sold your citizenship.
correction. in the real world all smartphones are either apple, android or none/other. in terms of legals, you really do have to cater to all three, which is why we don't have one world government.
This is about a digital wallet, so people who don't have a smartphone are out of scope.
Now, "other" than Apple/Android is so small as to be negligible and governments also have a duty not to waste taxpayers' money, which means not spending hundreds of thousands to cater for an ultra small number of people who have an easy access to an alternative.
To have government apps work only on iOS and Android is perfectly reasonable in the current state of the world where this covers 99% of smartphones.
> To have government apps work only on iOS and Android is perfectly reasonable in the current state of the world where this covers 99% of smartphones.
the fundamental flaw with that approach is that it is totally unreasonable to have government apps in anything other than open source and fully public systems. nothing else can really be trusted, and any private/closed source option should be disqualified from the get go.
the reason is simple: you can't trust private entities or opaque systems, and you can't trust government either, thus the solution has to be fully transparent or you're doing nothing.
the problem with that is that it is hard, expensive and/or inconvenient.
Why should I have to have a smartphone to have a digital wallet? Smart watches, tablets, laptops, portable game consoles, etc, are all perfectly cromulent hardware for running a digital wallet.
Essential EU government services cannot be devised on the hope that US companies will invent something that - contrary to current US legislation - will somehow provide the attestation services needed in a GDPR-compliant way without forcing EU citizens to provide personal data to US companies.
If it's not possible to create such a system for mobile phones because of legal issues (as you seem to acknowledge and judges have found in the past), then the focus would have to be on creating hardware devices in the EU, ideally with open source hardware and software. These can be made reasonably secure, have been used by banks for a long time, and would enhance digital sovereignty.
What I find unacceptable is the attitude "well, it will violate the law but as a matter of practicality it's the only choice we have right now so we'll just do it."
> Essential EU government services cannot be devised on the hope that US companies...
I don't disagree. I am just pointing out that this is wishful thinking right now.
As said, Europe has zero footprint in hardware or software so the choice is either not to develop any digital services or to accept that they will run of foreign hardware/software because everything is either Android or Apple and runs on hardware that is from US/Taiwan/China.
Developping honegrown alternives is pie in the sky or a 20 year project if we are optimistic (which I am not)...
Frankly, many comments, and the reactions to mine, show how out of touch and idealistic or naive the HN crowd can be.
EU can build token-generation hardware and that's the solution to the perceived problem. Such approaches have been used by banks for decades. It's not a "20 years project" to issue similar hardware to what my German bank issued 10+ years ago. I've explicitly stated in my post that the EU should not build a software solution for smartphones with US operating systems since this approach violates the GDPR and other laws because of a fundamental incompatibility of EU law with the US CLOUD Act that has been recognized by judges already. The proposed solution you seem to favor is illegal.
If I'm right, you're the person ignoring reality and basing their judgment on wishful thinking, not me. I understand why you want to have a smartphone solution ("practicality") but AFAIK that's currently not a viable approach. I might be wrong about the legal situation but that's what I've claimed. Just repeating your talking point is not a reasonable reply to these legal concerns. In addition to this, there are also serious national security concerns, of course.
I read about the new age check nonsense just before 26.4 downloaded, fortunately. I turned off automatic updates and so I guess I have a little time to get out of the apple ecosystem. I'm thinking GrapheneOS on Pixel 10. This is absolutely not required by UK law, apple just seems to enjoy the taste of government boot.
I am required to maximise my use of AI at work and so I do. It's good enough at simple, common stuff. Throw up a web page, write some python, munge some data in C++, all great as long as the scale is small. If I'm working on anything cutting edge or niche (which I usually am) then it makes a huge mess and wastes my time. If you have a really big code base in the ~50million loc range then it makes a huge mess.
I really liked writing code, so this is all a big negative for me. I genuinely think we have built a really bad thing, that will take away jobs that people love and leave nothing but mediocrity. This thing is going to make the human race dumber and it's going to hold us back.
I work at a company that maintains one of the largest Rails codebases in the world (their claim, but believable). My experience has been the opposite - Claude and Cursor have done a wonderful job of helping me understand the implement new features in this gigantic codebase. I actually found out through AI that while I enjoy writing code, I enjoy building great software better, the coding was just a means to the end.
if you open up the pdf it actually says written with AI...and author's 2 decades of experience with creative coding. i feel like it's a pretty fair disclaimer
I used AI to do a lot of stress testing and to see what patterns fall out of the setting rule I wrote. Helped a lot with grammar checking and general editing. Brainstorming too.
When you write enough materials, the AI generated output started becoming less generic and actually interesting. Really cool. Still wouldn't use the generated output. The ideas, yes, but not the words.
I write every single word. It's not a shortcut by any means. Just means that your work can be narratively and technically more rigorous. Using AI to generate stories for you defeat the purpose.
If it didn't take you at least an hour to create something worthwhile, it's likely that you generated slop.
In the author's defense, I just read a chapter, and it doesn't feel like AI slop. I think they were just being brutally transparent with disclaimers. The author has "two decades of experience teaching creative coding".
Also the book is beautifully designed. Clearly a lot of effort and taste was put into it (as you'd expect from a Creative Coding book).
I'm not the target audience, but if this work was only possible because of AI, I'd say this is a win for the world.
Full disclaimer from the pdf:
> AI ASSISTANCE
> This book was created through an extended collaboration between the author, Claude (Anthropic), and ChatGPT (OpenAI). The structure, pedagogical framework, and frustrations catalog emerged from the author’s two decades of teaching creative coding. AI served as writing partner, generating draft content based on detailed prompts while the author provided direction, critique, iteration, and editorial control. AI was also used to generate specific images. All teaching insights, personal anecdotes, and educational philosophy originate from the author’s experience.
If an AI can license-wash open source software like this then the licenses become meaningless. Which is fascinating. Commercial software cloning that is simple enough for an average person to drive is next and the ultimate form of piracy, see an app for $10? Don’t fancy paying? Just ask ChatGPT for a clone. Future is going to be wild.
I take your point, but if the re-implementation looks the same, I would say it’s a form of copying. (Which I don’t think is a problem, I don’t think you should be able to own sequences of numbers.)
reply