> In any case, it was always presented as a toolbox that countries should adapt into their apps – so judging the app by itself does not make much sense, it depends on how these techniques are implemented in each country’s verification app. There will be no single EU app, despite what the honchos of EU say.
Even more reason to make the "demo" app do things correctly because it's very unlikely that all member states actually implement things correctly.
> The internet is scary, parents think they can’t protect their children from many bad things happening, and someone came to provide a “solution."
A simple solution is just not providing your kids with a phone or computer.
Don't forget that many sources of porn will not obey this. Think the pirate bay will ask for age verification? If they obeyed the law they wouldn't even exist.
It's a solution for nothing, as the article points out too.
Whether there is a single app or not doesn't really matter - i'm more concerned about the database itself and the inter-connectivity between them and most importantly by which control acceptance protocol we abide between states.
The idea that we want a single database or a network without any kind of control is frightening me
Is all data about you "surveillance". When your doctor produces a medical record after your visit, are they "surveilling" you? How about when the railway company stores your travels to bill you later?
I'll assume your answer is no, and I that case surely you must see the value in that medical record being correct.
Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
Concerning the railway example, they only need to store how much I owe them, not my travels. Storing travel history on their end is already surveillance.
Data keeping purpose and consents are what make something surveillance or not.
Forcing every citizen to use ID to access the web is surveillance plain and simple.
> Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
No, I am legitimately asking to clarify your position, hence why I assumed you wouldn't call that surveillance. The point was for us to agree that the right to correct data is a meaningful and useful right to have.
Once we've clarified that, the rest of the arguments comes down on the separation of "surveillance" from "record keeping", a separation you attribute to "Data keeping purposes and consents". That aligns with current EU law, and I largely agree with treating that as a separation point. If you have a valid purpose, either by law or by duty to your customer, you get to keep records necessary to fulfill that need. I would note that these "duty to your customer" clauses are usually pretty broad and would, I imagine, allow the railroad company to keep and process your travel record for fraud prevention purposes.
The issue we encounter is what a valid "data keeping purpose" is, and if we trust our public institutions and infrastructure to govern that question. Especially when the potential data processors is a government agency. This I'm entirely uninterested in debating that question with a rando on HN. We likely live in two very distinct regulatory frameworks and have vastly different local governments. There's no basis for us to agree here.
I would however end by noting that the two clauses of your statement
> Data keeping purpose and consents are what make something surveillance or not.
and
> Forcing every citizen to use ID to access the web is surveillance plain and simple.
Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument. All ID checks are definitionally surveillance irrespective of purpose and consent.
In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system then it is, by that very process, a consensual and valid purpose.
> Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument.
"Forcing" highlights the lack of consent, the distinction is still present.
> In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system, then it is, by that very process, a consensual and valid purpose.
Absolutely not. Being voted in a parliament doesn't mean citizens consented to it.
Simple example: compulsory military enrollment vs voluntary military enrollment. Only one of them derive from consent, even if both derive from a law discussed in parliament.
Since you are bringing a semantic argument you might like to know that your doctor does in fact surveil you, hence the term "public health surveillance"
Governments need to identify citizens. They currently do this via paper records and extensive digital databases that those tie into. They will in future do this via digital records/tokens but this won’t change much.
Some amount of id verification and surveillance is of course required for a government to function, the question should be more what is allowed and what is not.
I mean that there is a big difference between a state automatically providing your data to any other state while having "their database disconnected" - and a human operator in the loop and an administrative verification of the appropriate access ;
For example this would allow a state to refuse access to the PI of their citizens for cases that are not administratively documented. This forces the access audit sufficiently that a malign actor cannot simply request data for a citizen without having probable cause ; another vector we want to protect ourselves against is simply the psycho/sociopaths that have access to these data without surveillance.
With the way elections changed after social media became big. Govts want to have control back, like they did before. And are increasingly curbing open internet with boogeyman CP or terrorists, new fear of mass AI CP. Ultimately we'll get 2nd hand version of great firewall and social credit system. Some "liberal democracies" already have root of such systems implemented.
I don't know if it has anything to do with changes in elections directly. My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
Wouldn't it be strange if solving a problem didn't affect elections?
>My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
The governments themselves are "dumber, sadder, and more scared". They are worried because social media puts regular people talking on equal footing to official propagandas (being able to reach everybody else). That's what they fear, because they have the lowest approval ratings and legitimization in over half a century, and they're also making everything shittier and shittier to the benefit of their corporate overlords.
You couldn't be more wrong. There's no equal footing when propaganda buys you thousands of bots to parrot what you want on every related post. And there is no ability to "reach everyone" when intransparent algorithms decide what reaches who. Moreover, some kind of content is explicitly suppressed and censored.
All of that is still irrelevant if the people can still express themselves. The truth can rise on top of bots.
The problem is the algorithm and the "explicitly suppressed and censored" and that's on the governments and corporations. So that's the worst argument for giving the government more control.
Statistics showed that bots don't change opinions. The only reason why certain establishments scream about them is to explain their election losses. People have very deep biases, and 'randos' blabbering online does not change them. It doesn't matter whether those 'randos' are bots or are real.
I will agree that governments are happy to bend the knee to corporations. But corporations control social media, so why would the corporations themselves not further their agenda using the platforms they control? Be that simply letting chaos ensue (see the UK Southport riots that were sparked by a "news story" from Pakistan) or from tuning the algorithms directly.
People have control over their government, at least in democracies that are functioning to a basic level (see Hungary recently). But they have zero control over social media, in fact the only organisations that can control global billion dollar tech companies are nation state governments...
they have the lowest approval ratings and legitimization in over half a century, because they're making everything shittier and shittier to the benefit of their corporate overlords.
This has been noticeable since Tahrir square; I used to say that Twitter gives you a revolution whether you need it or not.
But it's becoming increasingly clear how badly compromised the whole thing is with fake opinions and enemy propaganda.
I don't like either of the options. I don't like control by the state, and I don't like control by mad billionaires. I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
> I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
While I agree with this statement, I thought there was some kind of requirement that OFCOM goes through a process like this before being allowed to ask for a domain to be blocked in the UK?
The latter is, I think, something OFCOM should be allowed to do with a restriction that it can only come after other options fail.
Oh, it's much more stupid than that: OFCOM can't block websites, I just checked and it's available on my phone right now. They've issued a fine to 4chan instead. Which they are ignoring.
Imgur have gone the other direction: they have voluntarily blocked the UK (!), which is very irritating when trying to browse Reddit.
There's certainly a process, but not a good one.
(separate from all this, the Internet Watch Foundation maintains a blocklist which ISPs voluntarily follow, of actual CSAM.)
> OFCOM can't block websites, I just checked and it's available on my phone right now.
Until the process is complete, that's not evidence of inability, that's just the process:
Where appropriate, if a provider fails to comply with its safety duties, we can also seek a court order for ‘business disruption measures’, such as requiring payment providers or advertisers to withdraw their services from a platform, or requiring Internet Service Providers to block a site in the UK.
> There's certainly a process, but not a good one.
Indeed. There does seem to be a mutual non-comprehension of how the internet functions amongst lawmakers and enforcers in both the UK and the USA; both seem to act like they have more sovereignty over the internet than is possible without reaching much faster for a block order for sites outside their respective jurisdictions.
I think it has more to do with digital verification for social media in a hope of killing bot accounts that are interfering in the public debate. Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies, and with LLMs it is only getting worse. Some form of digital ID to verify social media account identities is probably the only hope left of having a real public debate.
Then the politicians should be honest about this goal. The best way to solve a problem requires understanding what the problem is. If we pretend to solve another problem, the solution for the actual will be less than ideal.
The bot problem is solvable by using a web of trust system. You don't need a digital ID for that (i.e. you don't need to tie your digital world identity to a real world identity, nor you need a central agency to manage these).
In web of trust, anyone could publicly certify who they know is a real person (i.e. validate a link from their id to another id). Then, if you received a message from someone, the system would find the path in the graph of real people you trust, to determine the trustworthiness of the source. So if the account is a bot, there would be no path from it to you in the trust graph.
The advantage is that everyone could supply their own subjective trustworthiness score, altering the graph. They could even publish it, so that other people could use trustworthiness assesment of accounts they personally trust.
The big issue with a system of web of trust is that it is too efficient, and just kills commercial advertising (and also propaganda). Because that is all about overcoming the natural web of trust that humans have.
>Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies
This is propaganda, none of those supposed networks exists or were successful in anything and when the media do show some supposed accounts they don't have a lot of views. Please stop falling for this, your democracy sucks because the politicians suck and the people want change so they turn to extremist parties.
Yes, obviously, the Romanian supreme court having to overturn and annul a presidential election due to Russian social media inference is entirely made up propaganda.
Countries have been interfering in the internal workings of other countries for centuries, if not millennia. If you want to read up on more recent accounts of this, many of which predate social media, the book Active Measures by Thomas Rid is a good place to start.
Or you can continue to think that this is all just made up "propaganda" and we're all fools, but you alone have seen the light.
Russian "bot farms" are investigated quite well. Usually they operate in Russian-speaking sides of platforms but sometimes they go "foreign". I agree that impact of those might be exaggerated but it's hard to measure in the first place.
That's actually great for social media companies to create a profile on you and feed you ads. They don't care about the bots or denocracy. The only hope for a real public debate is to show up in person at the debate.
Via: https://discuss.grapheneos.org/d/24452-eu-might-enforce-goog... which specifically quotes the law that should forbid such approach (Article 6(4) DMA) - so EU initiative and engineers consciously and intentionality breaking EU law in the prototype that is supposed to be replicated later.
*invited to attend a hearing* after they could no longer ignore the fact the guy is openly selling (and previously posting) CSAM based on the real kids?
That would be a very gentle way to express hurt feelings, not the way to treat a guy who knowingly does that.
It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed.
Also, remote attestation doesn't work that way and for good reason. Under a true ZKP system, a single defector (extracted/leaked/etc key) would be able to generate an infinite number of false attestations without detection.
> It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed
This article is about EU age verification which is specifically and definitely stated as using zero knowledge proof in all technical docs that I've seen:
In that case Google play integrity cannot be used.
It certifies devices running on Oreo (because vendor didn't provide updates),meaning there are almost infinite vulnerabilities that will allow to leak the keys.
Interesting point about ZKP systems. The challenge
with age verification is balancing privacy with
enforcement — any centralized solution creates a
honeypot for data breaches.
Digital ids are inevitable in my view, just as digital currency has become inescapable because it is more convenient and efficient, these ids will
be issued and things like paper proofs of identity will fall away over time. Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
Our focus therefore should be controlling what governments can do with them - for example disallowing blocking/removing someone’s id, just as we should disallow removing citizenship.
I think even digital IDs will tend to exist as physical tokens? Also worth noting that you can have a digitized and cryptographically signed ID on "paper" which can serve much the same purpose (security, machine readability) as an electronic one. Where electronic tokens shine (for IDs or otherwise) is attesting to the physical possession of a single copy.
This is not the same. For instance, we can access the internet without needing that ID. But right now there are attempts to force a digital ID in order to access information on the www - this is the whole idea behind "age verification". The kids are just used as excuse here. It has never been about the kids.
I think you're jumping to conclusions that aren't supported by the digital ID proposal.
Even with that: There's plenty of services dangerous to kids that we gate behind an ID check and I don't particularly see why internet is special in any way.
You think bad actors are going to plainly spell out their nefarious intentions? Or worse, the misinformed reactionaries that genuinely believe they're doing good.
No one claimed the internet should receive special treatment. The two forms of ID check that you're attempting to equate aren't the same.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days. An app or identity on people’s phone might be a good stopgap.
However I suspect biometric methods of id verification will render carrying anything redundant long term.
The databases for digital id already exist, they’re just not fully utilised yet and these databases will always be centralised.
I doubt everyone will still be carrying phones as we know them in a decade, so we might indeed be headed for a future where governments keep giant databases of biometric information. Works OK if you trust your government to handle that properly and not abuse it in the future. The real headache is crossing borders, where your details end up in the hands of a foreign state.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days.
OK. I'll bite. Why are they unnecessary?
Passports have two things. They have information on them, which can be read by looking at them. And they have information on them in chip form, which can be scanned, and is also cryptographically signed by the issuing authority (eg, a government).
To verify a passport you can look at it visually, but you can also scan and validate the info, including photo, in digital form. All you need is the CSCA, the 'country signing certificate' to do so, and there aren't may of those. Small readers exist which are updated with these certs, and so even in the middle of a war zone, with RF jamming, you can verify a country signed what you're looking at.
Relying upon the Internet being there for ID purposes is a massive fail. You'd don't need a networked reachable database to validate that your ID is valid, in a digital way, which can be really helpful with 1M refugees show up at your door during a war, or when the capital city of the issuing nation has been bombed.
You may think this unimportant, but the edge cases are what 99.999% uptime is all about. And the edge cases with ID really need 100% uptime. The last thing you need during a natural disaster is an inability to ... well, do anything.
So even if you have biometric methods to identify someone, you'll also want a local, on person method which has those on chip, and signed by a government saying who you are.
Having ID network connected is also a massive, huge, immense fail. There should be no network connected databases of anything about anyone, in any form. Why? It'll be hacked. This will never, ever, ever change. Never. Paper records can't be hacked en masse, and you can get the same protections by storing records on individual chips with other associated info in paper form.
Dismantling this infrastructure and replacing it with buggy, hackable, online databases just to get digital ID verification is a complete move in the wrong direction. Verifying digitally signed information is not.
And passports can be scanned by phones.
Which means that the info, cryptographically signed, can be verified by anyone in the world too.
Really, what we need is to have everyone chipped, like a pet. Because that's where this ends up, and that's also the only way to always have your ID with you.
As a snarky aside, I've spent my entire life interacting with society all the time, yet only in the last decade has it been necessary to be "carded" constantly to do so. We've literally taken a privacy conscious society, and turned it into a nightmare. I'm identified when I go buy a loaf of bread, the most dystopian, totalitarian government anyone could ever conceive of, is a joke compared to the amount of control and tracking now exercised over people's lives.
So I guess my point is...
If it's annoying and difficult to have to carry around a physical identifier of who you are? And use it regularly?
Why is the solution to make it easier to submit to slavery?
Think that's an over the top statement?
We all know how the US government has pivoted on many things during the current administration. We also know it has had, and continues to have (via private enterprise) a robust degree of information about every fiscal transaction made.
If you look at the McCarthy hearings, they literally went so far as to find documents from decades prior, paper records of course, of people joining socialist clubs in university. Eg, simply sign-in sheets, or their names listed in the minutes of such orgs.
Decades later, that information was used to blacklist careers, destroy lives, not for any proof of malfeasance by those accused, but simply because they were curious in college about socialism.
Those same accused were then used to "name names".
My point is, from the financial data currently being stored about people, anything that makes you stand out in any way could be turned into a problem 10 years down the road. Not to mention, how credit card usage, and digital tracking, and location tracking might hit some pattern.
No one who lived through the McCarthy hearings, just watching them, or lived through how Germany or Russia controlled the lives of their citizens, would ever think any of this increased fingerprint of people is a good idea.
It's all just very dumb. And it will not end well at all.
> Relying upon the Internet being there for ID purposes is a massive fail.
Why would you need internet? Document holder smartphone can cache the document for years and present it over NFC (including photo, signature, etc). Just like existing biometric passports work, but replace the physical passport with smartphone app.
System checking it just verifies the signature is valid and thus all data presented is valid? Your browser doesn't need to query any Root CAs to trust SSL certificate, https works without internet.
History of entry and visas/etc could be stored on device as well
If you want to argue for a theoretical system that is self-contained, only relies on the data that is present on either the physical (or the theoretical cryptographically signed digital) passport, you're free to do that.
But in the real world, the systems that deal with processing people's entries already cross-reference multiple other existing databases, require internet connectivity to do so, and I think you'll have hard time convincing anyone to stop doing that.
If CBP's systems go down, they will not process (foreign, they'll process US citizens still) arrivals [1], even with physical passports in front of them. I assume the EU ESS works the same.
"If the internet goes down, your border checkpoint is down" is not some terrifying future we need to protect against, it's the reality of the world as you live in right now.
[1]: I've had to wait for an hour, at SFO of all places, because of exactly that happening.
TBF given that a temporary outage is abnormal it makes a certain amount of sense to default to shutting down. Whereas during an extended outage you can pick back up as long as the key parts of your system are capable of operating without the network.
For one thing, it increases resilience in the event of outages. It is a tangible aspect - just like citizens are encouraged to keep cash at home at least in my country (Sweden)
I don't see it as inevitable at any stage. Why would it be necessary? Why is access to information tied to a digital id suddenly? Also, where is digital currency inscapable? I can not pay with a bank note suddenly?
> Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
I see absolutely nothing wrong with physical tokens. You could reason that this or that has more or fewer advantages but to insinuate that digital is always better, all of the time, is simply wrong.
In some places you cannot. I was in London post-COVID and there were a bunch of tourist things, like a riverboat on the Thames, where you could only pay with a card. Went to a craft cider bar out in the countryside and again, they didn’t accept cash. Personally, I think businesses should be forced to accept all legal tender, which means cash stays as a first class payment method, but that’s not how it is in many places.
On the other hand, in Austria there are many places that are cash only, especially small restaurants in the countryside or community sporting events with coffee bars.
> just as we should disallow removing citizenship.
However lots of countries do allow removing citizenship In the UK it is a political decision too. Lots of countries allow locking people out of other things (e.g. freezing bank accounts). I therefore doubt we an effectively prevent this.
I do not see the problem with physical tokens. They are simple, do not create a single point of failure (if I lose my phone I still have my cards and cash), robust to network and systems failures. What is the drawback? Having to carry a few cards?
The drawback of physical tokens is that you can't use them online. I don't want to spend an hour waiting in queue at the city hall for something I can do online in 10 minutes.
The ideal state is having both physical and digital ID. But that will lead to a slow erosion of the willingness to carry physical ID, even if it stays available (which I believe it will for many decades. Even if national ID cards and drivers licenses were to go digital only, passports won't)
I use credit cards online all the time. I have logins for government services so I do not need to queue (I had to verify my ID using an app once for one of them). Getting a new driving license (for a change of address) was done online.
Yes and I find this deeply wrong - what politician would you trust with this decision? Debanking is also wrong in my view.
I think we should focus on laws against things like that which lead to tyranny rather than attempting to stop progress.
Cash in particular is expensive to produce/process and no longer honours the promise printed on it, it will be phased out as the transactions with it approach 0%.
Cards are really no different than a token in a phone and don’t work for long either in the absence of a network (both will work offline but do need to be reconciled). I haven’t habitually carried a card in about a decade, I think for similar reasons to cash they will die off by general consensus.
Cards are significantly different from a token in a phone:
1. They are physically separate. They are not likely to be stolen at the same time as a phone.
2. They do not require battery.
Cash has the same advantages, but even more so as it does not rely on networks at all.
If you only have phones as a means of payment what do you do if you phone is lost, stolen or out of battery? How do you even buy a new phone!?
I think phasing out cash is very short sighted. It is robust and reliable. There is a good reason the Swedish central bank recently recommended that people keep a certain amount of cash at home (1,000 SEK, equivalent to about £80/$108/94 EUR, per adult).
Actually, there is a good point in this: What if I don't want to carry my phone somewhere? I shouldn't be obligated to do so. For example what if I want to go to a demo? Or I simply don't want to be location tracked for an afternoon. There needs to be a non-electronic alternative. I guess we could carry some QR codes with us, that can be scanned by police officers.
> for example disallowing blocking/removing someone’s id
If I lose my passport I am obliged to call the police so that they revoke it, if I lose my phone with my digital ID on it they also need to be able to revoke that ID.
Sure, I meant disabling without replacement, making someone an unperson. Obviously updates and replacements would be required as with passports.
I don’t think governments should be allowed to do that. They do it with passports and I think it’s deeply wrong but also it would be far more damaging and immediate with a digital id (which will inevitably be used for a lot of services) - similar to being refused a bank account.
I can't help but think people mean something else when they hear "digital ids" then what they are. Like I have a digital id from the government of the Netherlands that I use to log into their government systems to declare taxes or what not. I had an X509 certificate issued by Ukrainian government and have their app to do the same.
The problem is what follows. They will make it mandatory to use the electronic ID to do anything, resulting in total surveillance. And if you happen to land on their "bad" list (which eventually everyone will), you're locked out of life completely. No banking, no traveling, no communication with anyone, no buying food, nothing.
How will the current approach result in total surveillance?
I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
Can you explain to me, how with an eID one would be prevented from communicating with anyone or buying food?
> Can you explain to me, how with an eID one would be prevented from communicating with anyone or buying food?
Some government (will) make mandatory:
social accounts (so also IM apps like IG, WA, X, messanger), banks, buying simcard, internet, buying alcohol, cigarettes,
energy drinks).
Some companies will make it mandatory implicitly or explicitly just for profit: selling your consumption data, analytics for themselves. E.g. in poland it's harder and harder to pay with cash because reduced stuff and huge queues - they force your use self checking. The pricing changed also that you have to use their loyalty apps if you don't want to be ripped - otherwise you will be paying 50% more.
> I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
I don't like it either the problem is right now you mostly this being abused only in some hotels. Whats misleading that that this digital id won't allow tracking because you supposed to "trasmitting the bare minimum of identifiable information"
Are you kidding right now? Have you seen what's happening with ICE in the US? EU countries are just one effective social media campaign cycle away from the same policies. "It can't happen here" is foolish thinking.
Only that it won't stay at the minimum information. They will want more and more, with some thinly veiled greed for more info.
For example hotels: Some chains may think to advertise using fear mongering, claiming that their hotels are the safest, because they perform background checks based on the information from their customers' ID. You don't want that? Fine! Go elsewhere then! This is private property, if you don't agree to these ToS, you are not allowed to enter or rent rooms, sooo sorry! All you had to do is sign your privacy away here and then let us mine your data ... You don't have anything to hide, do you??
The issue is, that every single involved party from business to government has an incentive to get more data from this system. If there are no laws with guaranteed severe punishments for violations edged into our inalienable human rights and constitutions and those are properly followed up on, in addition to making it technologically impossible to extract more information than necessary, the system sooner or later will be abused.
Easy. This was done during corona. They have security at the entrace of food stores and scanners. If you do not scan, security will escort you off the premises.
I prefer hotels without ID requirements. There is not a single shred of sound argument why a hotel needs to know who I am. Therefore I often stay in B&B:s without authoritarian ID-controls.
In Latvia we've had digital id for close to 20 years. Banks mostly use their own auth, some rely on digital id. No travel service has ever wanted me to use digital id, let alone any other kind of shopping. What we use it for is access to government resources, and signing digital documents. I trust this system WAY more than whatever some company comes up with.
> No travel service has ever wanted me to use digital id, let alone any other kind of shopping
Yup, until they are regulated to do so in case you buy booze, porn, metal detectors, crossbows or who knows what else. And until silversmith tries to dodge the draft but he accidentaly bought some booze woth his gov eID to party with friends.
No limitations during corona? Remember travelling through your neighbour during corona and was treated worse than a ww2 jew in germany due to not having the authoritarian corona passport.
This is what our every day will be like, when the state has internalized the enormous power of a 100% controlled digital ID. Bye, bye, freedom of thought.
You are most likely referring to the EU covid certificate. It functioned as a proof of vaccination or recent negative test, and yeah, that was required for travel at one point. And even then the verification end was `(code: string) -> valid: boolean` function, no personal data was accessible at validation point. It used the digital ID as SSO for accessing your records, so you could save / print the verification code, usually in form of a qr code. I know all this, because I'm friends with people that worked on the Latvian part of the system, and we spent long chat sessions discussing how to best do it in the least privacy-intrusive way.
If you were from outside EU, I fully believe the experience was subpar. 99% or more of verifications went through the EU system, and if you showed up with different kind of documentation, the people tasked with verification "at the edge" might not even know if it was valid form of proof.
Overall, I struggle with being outraged by the concept of digital ID. It's just a digital form of "show me your passport please". We have had physical national ID (mandatory from certain age!) for as long as I can remember myself. The state knows I exist. If a madman gets put in charge, lack of unified digital ID is not going to prevent airport style passport gates being erected around the booze stand.
I think what is happening is a rather philosophical rejection of the mere idea that the government should affect ones life in any way for any reason. Somehow all the laws that existed before are below the baseline, so they kinda fine, but the new things -- those cause outrage.
Then comes this post-hoc rationalization about how it will inevitably be abused, Jews in Nazi Germany, apartheid and chips under the skin.
> And if you happen to land on their "bad" list (which eventually everyone will), you're locked out of life completely. No banking, no traveling, no communication with anyone, no buying food, nothing.
Not really. Government is not Big Tech. This happens with accounts of some tech companies precisely because they're private entities setting their own rules in the still wild "wild west" of the Internet. Governments set laws and processes to ensure the things you mentioned do not happen, except in very specific circumstances.
Think of it this way: being "locked out of life completely", resulting in "no banking, no traveling, no communication", etc. is not a new problem. In the off-line world we call that being sanctioned, imprisoned, deprived of personal freedoms, etc. Yes, it happens to some people, but usually for very specific reasons (called "crimes"), after a lengthy bureaucratic process (called "trial" and "sentencing"), with plenty of safeguards to catch and rectify mistakes during and after the fact (like "legal defenses", "appeals", or even "journalists"). It is not something you normally worry about.
Humanity has worked out best practices for these thing over thousands of years of various tribes and nations and governments forming, disbanding, collapsing, emerging, conquering or becoming conquered. Adding electronic IDs on top does not change the nature of the thing. So you won't get locked out of life for posting the wrong emoji in a tax report comment; that would be like being thrown to prison for drawing something on a government form - or rather, if that's even remotely possible in your country, you have much bigger problems than digital IDs, and your best move would be to emigrate somewhere sane before borders close or civil war starts.
Plenty of other things to worry about here (e.g. ID checks suddenly being required by every business, just because it's zero effort to them for some marginal KYC benefit), but getting banned from life due to ToS violation is not one of them.
Being banned from life due to a TOS violation is a real concern because it's already hard to do a bunch of things without a Google or Apple account. If Google and Apple can require a government ID to create such an account, it becomes very difficult to evade a ban.
Options to get around that problem include regulating Apple and Google or mandating that essential services not require accounts with third-party providers.
> Options to get around that problem include regulating Apple and Google or mandating that essential services not require accounts with third-party providers.
I would call for both of these things, for independent reasons.
All providers who get relied on in this way should need suitable regulation, even for non-essential things like supermarket loyalty cards.
Apple and Google in particular are now too heavily associated with a government hostile to the EU, therefore the EU should as a matter of urgency ensure that essential services do not require them in particular, and the surest way to do so (and make sure no shenanigans happen with mergers) would be to mandate that essential services do not require accounts with any third-party providers. Not even the postal system or a telephone number, you should always have a viable fallback to some physical office which is open at reasonable hours and is in a reasonably accessible location.
In both Canada and the US we had people who were "de-banked" in recent years because the government was irritated with them. No trial. No hearing. Just a letter from the bank saying "We don't want your business anymore. Here's a cashier's check with your balance." In Canada at least some of the accounts were actually frozen. "Yes, we have your money, but no you can't have any of it."
In the US there's a requirement for banks to refuse to do business with anyone who would be a "reputational risk". I think it was intended to suppress money laundering. Anyway, when the government calls and says such and such a client represents a reputational risk, the bank doesn't have any choice.
I don't know how it works in other countries, but here in the US you'd be hard pressed to function normally in society without a credit card and bank account.
Even more reason to make the "demo" app do things correctly because it's very unlikely that all member states actually implement things correctly.
> The internet is scary, parents think they can’t protect their children from many bad things happening, and someone came to provide a “solution."
A simple solution is just not providing your kids with a phone or computer.
Don't forget that many sources of porn will not obey this. Think the pirate bay will ask for age verification? If they obeyed the law they wouldn't even exist.
It's a solution for nothing, as the article points out too.
The idea that we want a single database or a network without any kind of control is frightening me
Why would you correct data about you very own surveillance ?
I'll assume your answer is no, and I that case surely you must see the value in that medical record being correct.
Concerning the railway example, they only need to store how much I owe them, not my travels. Storing travel history on their end is already surveillance.
Data keeping purpose and consents are what make something surveillance or not. Forcing every citizen to use ID to access the web is surveillance plain and simple.
No, I am legitimately asking to clarify your position, hence why I assumed you wouldn't call that surveillance. The point was for us to agree that the right to correct data is a meaningful and useful right to have.
Once we've clarified that, the rest of the arguments comes down on the separation of "surveillance" from "record keeping", a separation you attribute to "Data keeping purposes and consents". That aligns with current EU law, and I largely agree with treating that as a separation point. If you have a valid purpose, either by law or by duty to your customer, you get to keep records necessary to fulfill that need. I would note that these "duty to your customer" clauses are usually pretty broad and would, I imagine, allow the railroad company to keep and process your travel record for fraud prevention purposes.
The issue we encounter is what a valid "data keeping purpose" is, and if we trust our public institutions and infrastructure to govern that question. Especially when the potential data processors is a government agency. This I'm entirely uninterested in debating that question with a rando on HN. We likely live in two very distinct regulatory frameworks and have vastly different local governments. There's no basis for us to agree here.
I would however end by noting that the two clauses of your statement
> Data keeping purpose and consents are what make something surveillance or not.
and
> Forcing every citizen to use ID to access the web is surveillance plain and simple.
Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument. All ID checks are definitionally surveillance irrespective of purpose and consent.
In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system then it is, by that very process, a consensual and valid purpose.
"Forcing" highlights the lack of consent, the distinction is still present.
> In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system, then it is, by that very process, a consensual and valid purpose.
Absolutely not. Being voted in a parliament doesn't mean citizens consented to it.
Simple example: compulsory military enrollment vs voluntary military enrollment. Only one of them derive from consent, even if both derive from a law discussed in parliament.
Some amount of id verification and surveillance is of course required for a government to function, the question should be more what is allowed and what is not.
For example this would allow a state to refuse access to the PI of their citizens for cases that are not administratively documented. This forces the access audit sufficiently that a malign actor cannot simply request data for a citizen without having probable cause ; another vector we want to protect ourselves against is simply the psycho/sociopaths that have access to these data without surveillance.
The way I understand it is more like tls certs, with each country managing their own root cert.
That’s not a solution. Nowadays many schools require access to a computer.
Also the class schedule including the substitutes are communicated per smartphone app
Wouldn't it be strange if solving a problem didn't affect elections?
The governments themselves are "dumber, sadder, and more scared". They are worried because social media puts regular people talking on equal footing to official propagandas (being able to reach everybody else). That's what they fear, because they have the lowest approval ratings and legitimization in over half a century, and they're also making everything shittier and shittier to the benefit of their corporate overlords.
The problem is the algorithm and the "explicitly suppressed and censored" and that's on the governments and corporations. So that's the worst argument for giving the government more control.
That argument seems easily debunked by pointing at the effectiveness of propaganda, which is in its essence indistinguishable from bots.
People have control over their government, at least in democracies that are functioning to a basic level (see Hungary recently). But they have zero control over social media, in fact the only organisations that can control global billion dollar tech companies are nation state governments...
But it's becoming increasingly clear how badly compromised the whole thing is with fake opinions and enemy propaganda.
I don't like either of the options. I don't like control by the state, and I don't like control by mad billionaires. I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
While I agree with this statement, I thought there was some kind of requirement that OFCOM goes through a process like this before being allowed to ask for a domain to be blocked in the UK?
The latter is, I think, something OFCOM should be allowed to do with a restriction that it can only come after other options fail.
Imgur have gone the other direction: they have voluntarily blocked the UK (!), which is very irritating when trying to browse Reddit.
There's certainly a process, but not a good one.
(separate from all this, the Internet Watch Foundation maintains a blocklist which ISPs voluntarily follow, of actual CSAM.)
Until the process is complete, that's not evidence of inability, that's just the process:
- https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...> There's certainly a process, but not a good one.
Indeed. There does seem to be a mutual non-comprehension of how the internet functions amongst lawmakers and enforcers in both the UK and the USA; both seem to act like they have more sovereignty over the internet than is possible without reaching much faster for a block order for sites outside their respective jurisdictions.
In web of trust, anyone could publicly certify who they know is a real person (i.e. validate a link from their id to another id). Then, if you received a message from someone, the system would find the path in the graph of real people you trust, to determine the trustworthiness of the source. So if the account is a bot, there would be no path from it to you in the trust graph.
The advantage is that everyone could supply their own subjective trustworthiness score, altering the graph. They could even publish it, so that other people could use trustworthiness assesment of accounts they personally trust.
The big issue with a system of web of trust is that it is too efficient, and just kills commercial advertising (and also propaganda). Because that is all about overcoming the natural web of trust that humans have.
This is propaganda, none of those supposed networks exists or were successful in anything and when the media do show some supposed accounts they don't have a lot of views. Please stop falling for this, your democracy sucks because the politicians suck and the people want change so they turn to extremist parties.
Countries have been interfering in the internal workings of other countries for centuries, if not millennia. If you want to read up on more recent accounts of this, many of which predate social media, the book Active Measures by Thomas Rid is a good place to start.
Or you can continue to think that this is all just made up "propaganda" and we're all fools, but you alone have seen the light.
By forcing us to go through devices completely controlled by US companies?
https://news.ycombinator.com/item?id=47644406
Whitelabel/demo implementation specifically pushes FOR Google Play Integrity after being explained why that's a bad idea: https://github.com/eu-digital-identity-wallet/av-doc-technic...
Via: https://discuss.grapheneos.org/d/24452-eu-might-enforce-goog... which specifically quotes the law that should forbid such approach (Article 6(4) DMA) - so EU initiative and engineers consciously and intentionality breaking EU law in the prototype that is supposed to be replicated later.
That kind of serves as a proof to your opinion it's a boogeyman.
https://www.reuters.com/legal/litigation/musk-summoned-by-fr...
But they would gladly use that for more control.
That would be a very gentle way to express hurt feelings, not the way to treat a guy who knowingly does that.
Also, remote attestation doesn't work that way and for good reason. Under a true ZKP system, a single defector (extracted/leaked/etc key) would be able to generate an infinite number of false attestations without detection.
This article is about EU age verification which is specifically and definitely stated as using zero knowledge proof in all technical docs that I've seen:
https://eudi.dev/2.5.0/discussion-topics/g-zero-knowledge-pr...
It certifies devices running on Oreo (because vendor didn't provide updates),meaning there are almost infinite vulnerabilities that will allow to leak the keys.
Our focus therefore should be controlling what governments can do with them - for example disallowing blocking/removing someone’s id, just as we should disallow removing citizenship.
So yeah, I'd expect those to move to a phone as an alternative to the card
Even with that: There's plenty of services dangerous to kids that we gate behind an ID check and I don't particularly see why internet is special in any way.
No one claimed the internet should receive special treatment. The two forms of ID check that you're attempting to equate aren't the same.
However I suspect biometric methods of id verification will render carrying anything redundant long term.
The databases for digital id already exist, they’re just not fully utilised yet and these databases will always be centralised.
Don't want to wake you from that nice dream but that ship has sailed quite a while back, at least here in the EU.
OK. I'll bite. Why are they unnecessary?
Passports have two things. They have information on them, which can be read by looking at them. And they have information on them in chip form, which can be scanned, and is also cryptographically signed by the issuing authority (eg, a government).
To verify a passport you can look at it visually, but you can also scan and validate the info, including photo, in digital form. All you need is the CSCA, the 'country signing certificate' to do so, and there aren't may of those. Small readers exist which are updated with these certs, and so even in the middle of a war zone, with RF jamming, you can verify a country signed what you're looking at.
Relying upon the Internet being there for ID purposes is a massive fail. You'd don't need a networked reachable database to validate that your ID is valid, in a digital way, which can be really helpful with 1M refugees show up at your door during a war, or when the capital city of the issuing nation has been bombed.
You may think this unimportant, but the edge cases are what 99.999% uptime is all about. And the edge cases with ID really need 100% uptime. The last thing you need during a natural disaster is an inability to ... well, do anything.
So even if you have biometric methods to identify someone, you'll also want a local, on person method which has those on chip, and signed by a government saying who you are.
Having ID network connected is also a massive, huge, immense fail. There should be no network connected databases of anything about anyone, in any form. Why? It'll be hacked. This will never, ever, ever change. Never. Paper records can't be hacked en masse, and you can get the same protections by storing records on individual chips with other associated info in paper form.
Dismantling this infrastructure and replacing it with buggy, hackable, online databases just to get digital ID verification is a complete move in the wrong direction. Verifying digitally signed information is not.
And passports can be scanned by phones.
Which means that the info, cryptographically signed, can be verified by anyone in the world too.
Really, what we need is to have everyone chipped, like a pet. Because that's where this ends up, and that's also the only way to always have your ID with you.
As a snarky aside, I've spent my entire life interacting with society all the time, yet only in the last decade has it been necessary to be "carded" constantly to do so. We've literally taken a privacy conscious society, and turned it into a nightmare. I'm identified when I go buy a loaf of bread, the most dystopian, totalitarian government anyone could ever conceive of, is a joke compared to the amount of control and tracking now exercised over people's lives.
So I guess my point is...
If it's annoying and difficult to have to carry around a physical identifier of who you are? And use it regularly?
Why is the solution to make it easier to submit to slavery?
Think that's an over the top statement?
We all know how the US government has pivoted on many things during the current administration. We also know it has had, and continues to have (via private enterprise) a robust degree of information about every fiscal transaction made.
If you look at the McCarthy hearings, they literally went so far as to find documents from decades prior, paper records of course, of people joining socialist clubs in university. Eg, simply sign-in sheets, or their names listed in the minutes of such orgs.
Decades later, that information was used to blacklist careers, destroy lives, not for any proof of malfeasance by those accused, but simply because they were curious in college about socialism.
Those same accused were then used to "name names".
My point is, from the financial data currently being stored about people, anything that makes you stand out in any way could be turned into a problem 10 years down the road. Not to mention, how credit card usage, and digital tracking, and location tracking might hit some pattern.
No one who lived through the McCarthy hearings, just watching them, or lived through how Germany or Russia controlled the lives of their citizens, would ever think any of this increased fingerprint of people is a good idea.
It's all just very dumb. And it will not end well at all.
Why would you need internet? Document holder smartphone can cache the document for years and present it over NFC (including photo, signature, etc). Just like existing biometric passports work, but replace the physical passport with smartphone app.
The internet requirement is not there for the person presenting the document, it's for the person/system checking it.
History of entry and visas/etc could be stored on device as well
But in the real world, the systems that deal with processing people's entries already cross-reference multiple other existing databases, require internet connectivity to do so, and I think you'll have hard time convincing anyone to stop doing that.
If CBP's systems go down, they will not process (foreign, they'll process US citizens still) arrivals [1], even with physical passports in front of them. I assume the EU ESS works the same.
"If the internet goes down, your border checkpoint is down" is not some terrifying future we need to protect against, it's the reality of the world as you live in right now.
[1]: I've had to wait for an hour, at SFO of all places, because of exactly that happening.
Couldn't agree more. The more we know, the more susceptible we are to bias and division.
> Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
I see absolutely nothing wrong with physical tokens. You could reason that this or that has more or fewer advantages but to insinuate that digital is always better, all of the time, is simply wrong.
In some places you cannot. I was in London post-COVID and there were a bunch of tourist things, like a riverboat on the Thames, where you could only pay with a card. Went to a craft cider bar out in the countryside and again, they didn’t accept cash. Personally, I think businesses should be forced to accept all legal tender, which means cash stays as a first class payment method, but that’s not how it is in many places.
On the other hand, in Austria there are many places that are cash only, especially small restaurants in the countryside or community sporting events with coffee bars.
However lots of countries do allow removing citizenship In the UK it is a political decision too. Lots of countries allow locking people out of other things (e.g. freezing bank accounts). I therefore doubt we an effectively prevent this.
I do not see the problem with physical tokens. They are simple, do not create a single point of failure (if I lose my phone I still have my cards and cash), robust to network and systems failures. What is the drawback? Having to carry a few cards?
The ideal state is having both physical and digital ID. But that will lead to a slow erosion of the willingness to carry physical ID, even if it stays available (which I believe it will for many decades. Even if national ID cards and drivers licenses were to go digital only, passports won't)
I think we should focus on laws against things like that which lead to tyranny rather than attempting to stop progress.
Cash in particular is expensive to produce/process and no longer honours the promise printed on it, it will be phased out as the transactions with it approach 0%.
Cards are really no different than a token in a phone and don’t work for long either in the absence of a network (both will work offline but do need to be reconciled). I haven’t habitually carried a card in about a decade, I think for similar reasons to cash they will die off by general consensus.
1. They are physically separate. They are not likely to be stolen at the same time as a phone. 2. They do not require battery.
Cash has the same advantages, but even more so as it does not rely on networks at all.
If you only have phones as a means of payment what do you do if you phone is lost, stolen or out of battery? How do you even buy a new phone!?
I think phasing out cash is very short sighted. It is robust and reliable. There is a good reason the Swedish central bank recently recommended that people keep a certain amount of cash at home (1,000 SEK, equivalent to about £80/$108/94 EUR, per adult).
If I lose my passport I am obliged to call the police so that they revoke it, if I lose my phone with my digital ID on it they also need to be able to revoke that ID.
I don’t think governments should be allowed to do that. They do it with passports and I think it’s deeply wrong but also it would be far more damaging and immediate with a digital id (which will inevitably be used for a lot of services) - similar to being refused a bank account.
It's bad somehow?
How will the current approach result in total surveillance?
I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
Can you explain to me, how with an eID one would be prevented from communicating with anyone or buying food?
Some government (will) make mandatory: social accounts (so also IM apps like IG, WA, X, messanger), banks, buying simcard, internet, buying alcohol, cigarettes, energy drinks).
Some companies will make it mandatory implicitly or explicitly just for profit: selling your consumption data, analytics for themselves. E.g. in poland it's harder and harder to pay with cash because reduced stuff and huge queues - they force your use self checking. The pricing changed also that you have to use their loyalty apps if you don't want to be ripped - otherwise you will be paying 50% more.
> I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
I don't like it either the problem is right now you mostly this being abused only in some hotels. Whats misleading that that this digital id won't allow tracking because you supposed to "trasmitting the bare minimum of identifiable information"
See also: CCP
Why did you only ask about eID and not about "inescapable digital currencies" that was also mentioned in the same paragraph at the top of the thread?
You see, the government wants to control the people so they can control the government /s
For example hotels: Some chains may think to advertise using fear mongering, claiming that their hotels are the safest, because they perform background checks based on the information from their customers' ID. You don't want that? Fine! Go elsewhere then! This is private property, if you don't agree to these ToS, you are not allowed to enter or rent rooms, sooo sorry! All you had to do is sign your privacy away here and then let us mine your data ... You don't have anything to hide, do you??
The issue is, that every single involved party from business to government has an incentive to get more data from this system. If there are no laws with guaranteed severe punishments for violations edged into our inalienable human rights and constitutions and those are properly followed up on, in addition to making it technologically impossible to extract more information than necessary, the system sooner or later will be abused.
I prefer hotels without ID requirements. There is not a single shred of sound argument why a hotel needs to know who I am. Therefore I often stay in B&B:s without authoritarian ID-controls.
Yup, until they are regulated to do so in case you buy booze, porn, metal detectors, crossbows or who knows what else. And until silversmith tries to dodge the draft but he accidentaly bought some booze woth his gov eID to party with friends.
This is what our every day will be like, when the state has internalized the enormous power of a 100% controlled digital ID. Bye, bye, freedom of thought.
If you were from outside EU, I fully believe the experience was subpar. 99% or more of verifications went through the EU system, and if you showed up with different kind of documentation, the people tasked with verification "at the edge" might not even know if it was valid form of proof.
Overall, I struggle with being outraged by the concept of digital ID. It's just a digital form of "show me your passport please". We have had physical national ID (mandatory from certain age!) for as long as I can remember myself. The state knows I exist. If a madman gets put in charge, lack of unified digital ID is not going to prevent airport style passport gates being erected around the booze stand.
Then comes this post-hoc rationalization about how it will inevitably be abused, Jews in Nazi Germany, apartheid and chips under the skin.
If you were to be treated worse than a jew in ww2 germany, you would not be writing about it here.
Not really. Government is not Big Tech. This happens with accounts of some tech companies precisely because they're private entities setting their own rules in the still wild "wild west" of the Internet. Governments set laws and processes to ensure the things you mentioned do not happen, except in very specific circumstances.
Think of it this way: being "locked out of life completely", resulting in "no banking, no traveling, no communication", etc. is not a new problem. In the off-line world we call that being sanctioned, imprisoned, deprived of personal freedoms, etc. Yes, it happens to some people, but usually for very specific reasons (called "crimes"), after a lengthy bureaucratic process (called "trial" and "sentencing"), with plenty of safeguards to catch and rectify mistakes during and after the fact (like "legal defenses", "appeals", or even "journalists"). It is not something you normally worry about.
Humanity has worked out best practices for these thing over thousands of years of various tribes and nations and governments forming, disbanding, collapsing, emerging, conquering or becoming conquered. Adding electronic IDs on top does not change the nature of the thing. So you won't get locked out of life for posting the wrong emoji in a tax report comment; that would be like being thrown to prison for drawing something on a government form - or rather, if that's even remotely possible in your country, you have much bigger problems than digital IDs, and your best move would be to emigrate somewhere sane before borders close or civil war starts.
Plenty of other things to worry about here (e.g. ID checks suddenly being required by every business, just because it's zero effort to them for some marginal KYC benefit), but getting banned from life due to ToS violation is not one of them.
Options to get around that problem include regulating Apple and Google or mandating that essential services not require accounts with third-party providers.
I would call for both of these things, for independent reasons.
All providers who get relied on in this way should need suitable regulation, even for non-essential things like supermarket loyalty cards.
Apple and Google in particular are now too heavily associated with a government hostile to the EU, therefore the EU should as a matter of urgency ensure that essential services do not require them in particular, and the surest way to do so (and make sure no shenanigans happen with mergers) would be to mandate that essential services do not require accounts with any third-party providers. Not even the postal system or a telephone number, you should always have a viable fallback to some physical office which is open at reasonable hours and is in a reasonably accessible location.
In the US there's a requirement for banks to refuse to do business with anyone who would be a "reputational risk". I think it was intended to suppress money laundering. Anyway, when the government calls and says such and such a client represents a reputational risk, the bank doesn't have any choice.
I don't know how it works in other countries, but here in the US you'd be hard pressed to function normally in society without a credit card and bank account.